/dev/random
Peter Jeremy
peter at rulingia.com
Mon Aug 20 22:55:13 UTC 2012
On 2012-Aug-20 23:05:39 +0100, Ben Laurie <ben at links.org> wrote:
>> Well, it's hard to comment when you failed to explain
>> *why* you think it is a mistake.
>
>Sorry - because I do not think it is wise to trust the h/w prng so
>much we discard other entropy.
This depends on the relative predictability of Yarrow vs the hardware
RNG. FreeBSD random(4) currently only supports one hardware RNG - the
one in the VIA Nehemiah. VIA have published an independent evaluation
of their RNG which suggests it is a good source of entropy.
Additionally, the RNG is not used in a raw form, instead a Davies-
Meyer hash is performed using the AES-128 CBC with random key, IV and
data to further whiten the output. I am not sure whether anyone has
done any comparison of the relative randomness of these approaches.
>That is everything except the hardware, right? So ... all other sources.
The FreeBSD random(4) device implementation currently allows only one
RNG to be active at a time, though it should be possible to create a
kernel thread that regularly adds entropy from a hardware RNG to the
Yarrow state.
>It is relevant because it seems there is entropy available in
>fine-grained timing.
Part of the entropy harvested at each of the sampling points is
the CPU cyclecounter (eg TSC). It's difficult to see what finer
grained timing you expect to be used.
--
Peter Jeremy
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 196 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-arch/attachments/20120820/39de26fa/attachment.pgp
More information about the freebsd-arch
mailing list