Re: [PATCH] /dev/random: Insufficient of entropy on many architectures

From: Stephan Mueller
Date: Sun Sep 15 2013 - 07:12:46 EST

Next message: Thierry Reding: "Re: [PATCH v3 0/4] LP3943 MFD driver for a GPIO expander and a PWMgenerator"
Previous message: Russell King - ARM Linux: "Re: dev->of_node overwrite can cause device loading with differentdriver"
In reply to: Theodore Ts'o: "Re: [PATCH] /dev/random: Insufficient of entropy on manyarchitectures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Am Freitag, 13. September 2013, 14:59:31 schrieb Theodore Ts'o:

Hi Theodore,

>On Fri, Sep 13, 2013 at 07:36:20AM +0200, Stephan Mueller wrote:
>
>However, if you are worried about a malicious entropy source, things
>are a little bit different. Suppose RDRAND == AES(i++, NSA_KEY),
>where the NSA doesn't know the starting value of i. But if it get can
>get a raw RDRAND value (say, someone uses it without doing any
>whitening as a session key or as a D-H parameter), it can decrypt the
>output using the NSA_KEY, and then now that it knows i, it can brute
>force break the RDRAND output, even if it's not entirely sure how many
>times RDRAND has been called between that cleanb RDRAND value and the
>RDRAND output it is trying to break.
>
>In *this* case, smearing out the value of RDRAND across the entropy
>pool does help, becuase it makes it significantly harder to get a
>clean RDRAND value to decrypt.

Agreed. I was only talking about "well-behaved" entropy sources.
>
>
>That being said, the much bigger problem that I'm worried about is not
>necessarily a trojan'ed RDRAND, but rather on embedded ARM and MIPS
>devices where we have unsufficient entropy, and on the first boot out
>of the box, there is no random seed file that can be fixed in at boot

Yes, my local MIPS-based router which is a very ubiquitous one in
Germany (Fritz Box) does not seed /dev/random but yet starts using
/dev/urandom during boot cycle.

>time. Mixing in personalization information (serial numbers, MAC
>addresses) which *hopefully* the NSA wouldn't know in the case of
>pervasive, bulk surveillance, is a bit of a help. But it's certainly
>no help against a direct, targetted attack.

That is why I am hoping that the CPU jitter as harvested by my RNG will
help as it delivers entropy on demand in a bandwidth where the initial
seeding may not needed any more and we have sufficient entropy during
boot sequence.
>
>Regards,
>
> - Ted

Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Thierry Reding: "Re: [PATCH v3 0/4] LP3943 MFD driver for a GPIO expander and a PWMgenerator"
Previous message: Russell King - ARM Linux: "Re: dev->of_node overwrite can cause device loading with differentdriver"
In reply to: Theodore Ts'o: "Re: [PATCH] /dev/random: Insufficient of entropy on manyarchitectures"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]