RE: Concurrent access to /dev/urandom

From: David Schwartz
Date: Tue Nov 30 2004 - 13:58:17 EST

Next message: Randy.Dunlap: "Re: patch RTAI (fusion-0.6.4) with kernel 2.6.9 on Fedora Core 3"
Previous message: William Lee Irwin III: "Re: 2.6.10-rc2-mm4"
In reply to: Jan Engelhardt: "Re: Concurrent access to /dev/urandom"
Next in thread: David Wagner: "Re: Concurrent access to /dev/urandom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> >Even timer interrupts are incredibly unpredictable. Instructions can
> >take
> >variable times to complete, and all instructions plus some indeterminate
> >cache operations and queue flushing must occur before the CPU can
> >even begin to service an interrupt.
>
> Well, don't timer interrupts happen every 1/1000 s (unless, of
> course, cli() is
> in effect)?

Roughly. If you store the TSC on every timer interrupt, there is nobody in the world that can accurately predict what TSC value you will get. Or, to put it in more precise terms, if you log 100 such TSC values and run an MD5 on all of them together, nobody can predict with better than 50% accuracy the value of any bit of that MD5 output.

> >Also of note, there are small
> >critical
> >sections with interrupts disabled scattered all over the kernel and
> >scheduler,
> >in addition to varying memory latencies, etc. (NOTE: I am not an arch
> >expert
>
> In case you mean the RDTSC, it is of course better than the I8042, for
> random-aphy.

To mine the entropy in the unpredictability of instruction scheduling, cache effectiveness, and slew between the various oscillators in a computer, you need a timing source with the accuracy of the TSC.

You can mine entropy from any two independent oscillators. However, the rate at which you can mine them varies largely upon the frequency of the slowest oscillator. This is why network cards are such good sources of entropy on Pentium machines. You have the network card's oscillator, the oscillator on the network card sending the data to you, and the TSC. All are fast and totally independent.

The timer interrupt may be generated by a clock that ultimately comes from the same source as the TSC clock. This varies from motherboard to motherboard. However, they're generally produced by a PLL that has lots of jitter and slew. So there should be some entropy in there, even without considering unpredictable cache and disk delays.

DS

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Randy.Dunlap: "Re: patch RTAI (fusion-0.6.4) with kernel 2.6.9 on Fedora Core 3"
Previous message: William Lee Irwin III: "Re: 2.6.10-rc2-mm4"
In reply to: Jan Engelhardt: "Re: Concurrent access to /dev/urandom"
Next in thread: David Wagner: "Re: Concurrent access to /dev/urandom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]