Re: [PATCH] /dev/random: Insufficient of entropy on many architectures

From: Stephan Mueller
Date: Fri Sep 13 2013 - 01:36:38 EST


Am Donnerstag, 12. September 2013, 17:31:48 schrieb Jörn Engel:

Hi Jörn,

>On Tue, 10 September 2013 15:08:12 -0700, John Stultz wrote:
>> Though
>> I probably should be hesitant with my suggestions, as I'm not well
>> versed in RNG theory.
>
>The basic principle of Ted's RNG is very simple and quite sane:
>- You collect as much data as possible, some of which is (hopefully)
> unpredictable.
>- All the data gets dumped into a small buffer.
>- When reading from the buffer, you create a crypto-hash of the entire
> buffer. Even if most of the buffer is predictable, the few
> unpredictable bits will randomly flip every output bit.

And here the RNG theory breaks: a whitening function (crypto function)
like the used SHA1 does not add entropy. Thus, the SHA1 just spreads out
the entropy evenly over the output buffer. As entropy can be considered
as a kind of percentage value, if you have, say, 10% of your input
buffer holding entropy, applying a whitening function, you output buffer
still holds 10% of entropy only.

That said, simply using a whitening function on a buffer with poor
entropy is NOT going to cut it.

>- Half of the hash gets returned to the reader, the other half gets
> added back into the pool.
>
>It doesn't matter if you collect predictable data - it neither helps

Oh yes, it hurts, if you update the entropy estimator on those
predictable bits. Because then you get a deterministic RNG like
/dev/urandom in the worst case. Thus you degrade the quality of
/dev/random which relies on the blocking nature.

>nor hurts. But you should collect as much unpredictable data as
>possible and do it as cheaply as possible. If you want to improve the
>RNG, you either collect more data, collect better (less predictable)
>data or make the collection cheaper.
>
>Jörn
>
>--
>People really ought to be forced to read their code aloud over the
>phone. That would rapidly improve the choice of identifiers.
>-- Al Viro


Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/