From nobody Sun Mar 27 10:01:08 2022 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 299B11A4E3BC for ; Sun, 27 Mar 2022 10:01:12 +0000 (UTC) (envelope-from markm@FreeBSD.org) Received: from smtp.freebsd.org (smtp.freebsd.org [96.47.72.83]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "smtp.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4KRBDS0fd9z3JvM; Sun, 27 Mar 2022 10:01:12 +0000 (UTC) (envelope-from markm@FreeBSD.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648375272; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QtKZlmoPmCZeZzf3zUITNr5oqPJjC+eytjIkvdqCw7A=; b=bs2M7e5xuYcawTnAOyqIo4G4GHIXmz5gL36q6oyJdo2LrsA0chD2RVQqNYf9n9U5at9a7c HIlDWmecGQhB9oPJt4YArVPwJxgHb1NmGvZBorDBYuwpvkmij1uGuZLSlRsNzLkwVa9MiA f4JrnOkJWa45f3D7leg+J+gIWNNSCBFkVS2QpNzTvb1e2iX9uK9wJ303eiyCmwmoxCTUp5 w6k8mjfK0g9kvlp/3JHI51G74MPSHEXwR4wtBOjy21wMlCfUTgCPOfqRjzmvrisSG7mn3W ibwEwMyX+74ictU4xdJsmUou+le9UgWzW4W2Wn6FI2CEzD5zVn1q3Zwui4xytA== Received: from smtpclient.apple (unknown [IPv6:2a02:8011:300b:42:a15e:6817:9c82:eaeb]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) (Authenticated sender: markm) by smtp.freebsd.org (Postfix) with ESMTPSA id 5DF245D6F; Sun, 27 Mar 2022 10:01:11 +0000 (UTC) (envelope-from markm@FreeBSD.org) Content-Type: multipart/signed; boundary="Apple-Mail=_D75555FF-2A6F-4774-9BEB-85C39903F57B"; protocol="application/pgp-signature"; micalg=pgp-sha512 List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.80.82.1.1\)) Subject: Re: Adding entropy from external source into random number generator - how? From: Mark Murray In-Reply-To: Date: Sun, 27 Mar 2022 11:01:08 +0100 Cc: "freebsd-security@freebsd.org" Message-Id: References: To: freebsd-lists@sensation.net.au X-Mailer: Apple Mail (2.3696.80.82.1.1) ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1648375272; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=QtKZlmoPmCZeZzf3zUITNr5oqPJjC+eytjIkvdqCw7A=; b=maU9cSrYF5v9bDjnD0mTXghbVyTgtsBHqbWborGRB+ACcLpy+4Vc3C5rKsovfm4WXaLBG6 9zRuXm6XDSNKtBBftXii/Z2IleSAgITCi1ZPMGWkFbfRKI5s1V5wlzK3flK4PdCbwbGKMP t6OyJ+JX5Ih1BgDrlwcLzDWuWMbvbkshRV6lSnPMxaPxVAqzmbn7fFBcTGvi+2H7Rblub1 M+1IrKhw99+Hd7st1RCo9LQrOYG0NAlndQCrNwvLVzOtTISavYmzW0cWAPjbjPgyrz121n kIhlkwRuhILTZTaQgHaFxeZaf8QeQTLfeZbbjc3yhpQmZ9XOOY/1qhbcZn0J2Q== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1648375272; a=rsa-sha256; cv=none; b=o+mLvBKbD0T5CEZ4K1i6l852nx4cg4xsddnmQOn8PSim5kTLPkoftboSAEoX/5RPnMMyXb 3aXoRupge5UZySb1xir1SVWp9vZ9SttNdA9iizBvgkkHN4cU0VWjGLshZl2F5gAY6b8rvO tZMgFs7NiHg45BAodAgf1RX5VGhYecn+y88n3oqsj6K96PbmqQRY4KUzpkoM3dmNn3XGpw a3xQd/4o+7Qrvx+KxOqy7xlLvfByfj48gd/8gUSHP4gXr6WdG7b9YAoPib2KAQnmY972n1 6B0f3JMiCqqiTlNRGwVSB2Uw6ExX9QgGZDpVie2Vgv0bgjKuqQo9yYMX2QwyGw== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-ThisMailContainsUnwantedMimeParts: N --Apple-Mail=_D75555FF-2A6F-4774-9BEB-85C39903F57B Content-Type: multipart/alternative; boundary="Apple-Mail=_667BF386-02F2-43E4-847F-D0881038806B" --Apple-Mail=_667BF386-02F2-43E4-847F-D0881038806B Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=us-ascii > On 26 Mar 2022, at 17:29, freebsd-lists@sensation.net.au wrote: >=20 > Hi all. I was pointed to this mailing list, so I hope my query is = reasonably on topic. >=20 > I've developed simple firmware on a microcontroller which uses the = values of multiple floating analog inputs to generate random numbers. = I'd like to use this as an external source to add entropy into a FreeBSD = system. OK. Good. > I think the best way to do it would be to call = random_harvest_queue(...), but what do I use as the source enum (see = /usr/include/sys/random.h)? ENTROPYSOURCE, I guess? Add a new one for your source. > I believe it's also possible to open /dev/random for write to inject = entropy, and I'm sure I saw mention of this being available around = 12.0R, but I cannot find any mention of that scenario in the man pages. This is for userland sources. If you are in-kernel, use = random_harvest_queue(9), and be careful that you don't run at high rate = - i.e. if your harvester spends a lot of time waiting for its source, = then good, otherwise sleep to keep the rate down to a trickle. You don't = need more than a maybe a few tens of harvested events per second = maximum. If your source is good, even ten events per second would be = excessive. > I guess the other question to ask is whether ~45 kilobytes per second = of additional entropy is even useful in a typical situation? There's no = strict security requirement or anything like that, it's really just a = fun project that I'm hoping to actually use. :) All entropy is good = entropy, right? What's your threat model? Guessing 256 bits by brute force alone is such a good approximation to = impossible in human timeframes that even a demigod would not bother = trying. Supplying that much entropy per second may be good for = generating "true" randomness only if you believe the accumulator and = generator were broken cryptographically, but for everyday use that would = be excessive by very many orders of magnitude. Having an idea about how good your source is, would be a useful = exercise. A basic and easy measurement would be to calculate the Shannon = entropy of your source. This will give an estimate of the equivalent = number of bits of entropy that it supplies, under the conditions of your = measurement. See = https://en.wikipedia.org/wiki/Entropy_(information_theory) = - H(X) is = the Shannon entropy, measured in bits if b =3D 2 (see lower down in that = page for the definition). M -- Mark R V Murray --Apple-Mail=_667BF386-02F2-43E4-847F-D0881038806B Content-Transfer-Encoding: quoted-printable Content-Type: text/html; charset=us-ascii

On 26 Mar 2022, at 17:29, freebsd-lists@sensation.net.au wrote:

Hi = all. I was pointed to this mailing list, so I hope my query is = reasonably on topic.

I've developed simple = firmware on a microcontroller which uses the values of multiple floating = analog inputs to generate random numbers. I'd like to use this as an = external source to add entropy into a FreeBSD system.

OK. = Good.

I think the best way to do it would be to = call random_harvest_queue(...), but what do I use as the source enum = (see /usr/include/sys/random.h)? ENTROPYSOURCE, I guess?

Add a new = one for your source.

I believe it's also possible = to open /dev/random for write to inject entropy, and I'm sure I saw = mention of this being available around 12.0R, but I cannot find any = mention of that scenario in the man pages.

This is = for userland sources. If you are in-kernel, use random_harvest_queue(9), = and be careful that you don't run at high rate - i.e. if your harvester = spends a lot of time waiting for its source, then good, otherwise sleep = to keep the rate down to a trickle. You don't need more than a maybe a = few tens of harvested events per second maximum. If your source is good, = even ten events per second would be excessive.
 
I guess the other question to ask is whether ~45 kilobytes = per second of additional entropy is even useful in a typical situation? = There's no strict security requirement or anything like that, it's = really just a fun project that I'm hoping to actually use. :) All = entropy is good entropy, right?

What's = your threat model?

Guessing 256 bits = by brute force alone is such a good approximation to impossible in human = timeframes that even a demigod would not bother trying. Supplying that = much entropy per second may be good for generating "true" randomness = only if you believe the accumulator and generator were broken = cryptographically, but for everyday use that would be excessive by very = many orders of magnitude.

Having an = idea about how good your source is, would be a useful exercise. A basic = and easy measurement would be to calculate the Shannon entropy of your = source. This will give an estimate of the equivalent number of bits of = entropy that it supplies, under the conditions of your measurement. = See https://en.wikipedia.org/wiki/Entropy_(information_theory)&= nbsp;- H(X) is the Shannon entropy, measured in bits if b =3D 2 (see = lower down in that page for the definition).

M
-- 
Mark R V Murray

= --Apple-Mail=_667BF386-02F2-43E4-847F-D0881038806B-- --Apple-Mail=_D75555FF-2A6F-4774-9BEB-85C39903F57B Content-Transfer-Encoding: 7bit Content-Disposition: attachment; filename=signature.asc Content-Type: application/pgp-signature; name=signature.asc Content-Description: Message signed with OpenPGP -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.2 Comment: GPGTools - http://gpgtools.org iQEzBAEBCgAdFiEEyzPHvybPbOpU9MCxQlsJDh9CUqAFAmJANeQACgkQQlsJDh9C UqC1rQf/WXHX3T6IZdvRgfbr1hexjSCD/rSAeyMN+Td3/AH8InbTuQzm50wKyz0u MDNJ8MFDAxfcCihJjkA5G7vnnkTN7AMes1zCWdfW+pmnu0VXgQN90NDZbAsJUZ7d Gtf1k7IHdRgNb1ZOmqDnwzY626aFUM1lak/Hq9/AEfRjdS3D3LnRhGp4v5Www5tG qrwKRptN+RIi2cd8L1pi9Rh+bblotjvG6d5EMfJYg68chS7/6LrvF938hkwEBJwB h3r1KsqsQ13k1AHRLuXEuOjlbXnr9GyVbA+S3d/Xx32pbSUvZ2t2+bfxwNc71+AJ HIb9cnnW9cJ2n2/4UxY7f3UGZKmTCA== =tu1c -----END PGP SIGNATURE----- --Apple-Mail=_D75555FF-2A6F-4774-9BEB-85C39903F57B--