Re: [PATCH] API for TRNG (2.6.11) [Fortuna]

From: Jean-Luc Cooke
Date: Thu Mar 31 2005 - 09:05:12 EST

Next message: Ingo Molnar: "Re: NFS client latencies"
Previous message: Guillaume Thouvenin: "[patch 2.6.12-rc1-mm4] fork_connector: add a fork connector"
In reply to: David McCullough: "Re: [PATCH] API for true Random Number Generators to add entropy (2.6.11)"
Next in thread: Andi Kleen: "Re: [PATCH] API for true Random Number Generators to add entropy(2.6.11)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Mar 31, 2005 at 01:52:14PM +1000, David McCullough wrote:
>
> Jivin Jeff Garzik lays it down ...
> ...
> > >If kernelspace can assist and driver _knows_ in advance that data
> > >produced is cryptographically strong, why not allow it directly
> > >access pools?
> >
> > A kernel driver cannot know in advance that the data from a hardware RNG
> > is truly random, unless the data itself is 100% validated beforehand.
>
> You can also say that it cannot know that data written to /dev/random
> is truly random unless it is also validated ?
>
> For argument you could just run "cat < /dev/hwrandom > /dev/random"
> instead of using rngd.
>
> If /dev/random demands a level of randomness, shouldn't it enforce it ?
>
> If the HW is using 2 random sources, a non-linear mixer and a FIPS140
> post processor before handing you a random number it would be nice to
> take advantage of that IMO.

For those who are interested, my Fortuna patch to the Linux RNG (/dev/random,
/dev/urandom) is available here (2.6.12-rc1, works on kernels as low as
2.6.11.4):
http://jlcooke.ca/random/

Fortuna is a Cryptographically Secure Random Number Generator (CSRNG)
developed by Neils Ferguson and Bruce Schnier and published in their book
Applied Cryptography.

By most regards, it is the state of the art as far as software based CSRNGs
go. The website gives an over view of the design, here is a summary:
Fortuna uses a block cipher (AES128) in CTR mode to generate output.
Fortuna uses a 32 hash states (SHA-256) which collect event data from
sources of randomness (as usual in Linux).
Once every 0.1sec or so, some of the hash states are finalised and the
digests are collected.
These digests are hashed together with with the current block cipher key to
produce the new block cipher key.

Ferguson goes into detail in Practical Cryptography as to why this design is
superior to Yarrow based RNG (like the existing Linux RNG) and also delves
into why entropy estimation is impossible and is infact a liability in RNG
design.

My patch keep the entropy estimation from the current Linux RNG since this is
a very controversial issue with most people. Disabling entropy estimation
and /dev/random blocking can be done by changing the RANDOM_NO_ENTROPY_COUNT
macro to 1.

I have not tested the syncookie code yet. But networking works smoothly
after I echo "1" to /proc/sys/net/ipv4/tcp_syncookies. Any help on this
would be great.

JLC
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ingo Molnar: "Re: NFS client latencies"
Previous message: Guillaume Thouvenin: "[patch 2.6.12-rc1-mm4] fork_connector: add a fork connector"
In reply to: David McCullough: "Re: [PATCH] API for true Random Number Generators to add entropy (2.6.11)"
Next in thread: Andi Kleen: "Re: [PATCH] API for true Random Number Generators to add entropy(2.6.11)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]