/dev/random

Doug Barton dougb at FreeBSD.org
Tue Aug 21 07:10:37 UTC 2012 

On 08/20/2012 15:55, Peter Jeremy wrote:
> On 2012-Aug-20 23:05:39 +0100, Ben Laurie <ben at links.org> wrote:
>>> Well, it's hard to comment when you failed to explain
>>> *why* you think it is a mistake.
>>
>> Sorry - because I do not think it is wise to trust the h/w prng so
>> much we discard other entropy.
> 
> This depends on the relative predictability of Yarrow vs the hardware
> RNG. 

Throughout this thread people have been mixing up entropy sources, and
hardware and software PRNGs. A PRNG has (at least) 2 components, the
entropy source(s), and the software that turns the entropy into a stream
of pseudo-random output.

You can't directly compare "yarrow" vs. Padlock without comparing both
elements.

> FreeBSD random(4) currently only supports one hardware RNG - the
> one in the VIA Nehemiah.  VIA have published an independent evaluation
> of their RNG which suggests it is a good source of entropy.

I'm not sure what paper you're referring to, but according to the
padlock programming guide it's a random number generator, not (directly)
an entropy source. That said, it certainly *could* be used as an entropy
source for yarrow.

The way I see it, if padlock is available, there should be 3 options:

1. Use it as the exclusive feed for /dev/random
2. Allow the user to bypass it for the regular yarrow implementation
3. Allow padlock to be utilized as a source of entropy for yarrow.

> Additionally, the RNG is not used in a raw form, instead a Davies-
> Meyer hash is performed using the AES-128 CBC with random key, IV and
> data to further whiten the output.  I am not sure whether anyone has
> done any comparison of the relative randomness of these approaches.

That's the software component of the RNG.

>> That is everything except the hardware, right? So ... all other sources.
> 
> The FreeBSD random(4) device implementation currently allows only one
> RNG to be active at a time, though it should be possible to create a
> kernel thread that regularly adds entropy from a hardware RNG to the
> Yarrow state.

Right. The mechanism already exists to use devices as feeders to
yarrow's entropy pool. It should be trivial to add another one.

hth,

Doug

-- 

    I am only one, but I am one.  I cannot do everything, but I can do
    something.  And I will not let what I cannot do interfere with what
    I can do.
			-- Edward Everett Hale, (1822 - 1909)

More information about the freebsd-arch mailing list