Re: CONFIG_RANDOM (compromise?)

Albert Cahalan (albert@ccs.neu.edu)
Wed, 15 May 1996 20:16:00 -0400 (EDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Clint Marek: "Re: different eth0 messages"
Previous message: Marek Michalkiewicz: "Re: Odd root (and suid root) behavior"
Next in thread: Theodore Y. Ts'o: "Re: CONFIG_RANDOM (compromise?)"
Reply: Theodore Y. Ts'o: "Re: CONFIG_RANDOM (compromise?)"

From: "Theodore Y. Ts'o" <tytso@mit.edu>
> From: Martin Mares <mj@k332.feld.cvut.cz>
>
> OK. There really should be a kernel-level random number generator,
> because it's useful in many kernel parts related to networking
> (although they usually generate the numbers themselves for now). On
> the other side, we probably should make the current high-quality (but
> high-overhead) generator optional and create a kernel-level interface
> to a 32-bit generator using the high-quality one if it's present or
> something else (a simple linear congruential generator?) instead if
> it isn't.
>
> No, don't bother with a simple linear congruential generator --- those
> are trivial to break, and most of the places where you need strong
> random numbers, a linear congruential generator simply won't cut it.
>
> That's why I've resisted strenuously any suggestion that /dev/random
> might be replaced by a psuedo-random number generator --- that will
> only give people a false sense of security, while network cracker cackle
> with glee over how easy it is to break into Linux boxes....

Let's compromise:

Add an option called CONFIG_WEAK_RANDOM. When set, most of the
calls to add randomness become NOPs and the pool becomes much
smaller, perhaps only 256 bytes. A pseudo-random number generator
is used, but we give it a kick every now and then with random data.
Output from it gets hashed with existing code, such as the network
or decompression CRC checks. Since most of the add randomness calls
will be disabled, let the remaining ones add twice as many bits.

Because this still does _some_ of the random data collection,
it will still be much stronger than the typical libc junk.
I'd like to see #define used so that the extra calls to add
randomness disapear completely.

Those of you that are _really_ paranoid (see a doctor...) can
even add CONFIG_STRONG_RANDOM to have every single IRQ add
randomness. You can get 2 bits of Pentium counter data every
clock tick! Let the rest of us avoid the overhead.

Next message: Clint Marek: "Re: different eth0 messages"
Previous message: Marek Michalkiewicz: "Re: Odd root (and suid root) behavior"
Next in thread: Theodore Y. Ts'o: "Re: CONFIG_RANDOM (compromise?)"
Reply: Theodore Y. Ts'o: "Re: CONFIG_RANDOM (compromise?)"