Re: [PATCH][RFC] Tests on 200 different CPUs/Arches and OSes with CPU Jitter RNG

[Stephan Mueller]

Am Sonntag, 18. August 2013, 20:05:52 schrieb Stephan Mueller:

Hi Ted, Sandy,

For FIPS 140-2, there is currently a draft of an Implementation Guidance 
discussed covering the requirements of seed sources for deterministic 
random number generators. The standard seed source when having no 
hardware RNGs is either /dev/urandom or /dev/random. Please note that 
the current discussion explicitly prohibits the use of /dev/urandom for 
FIPS 140-2 compliant systems.

In addition, the recommendation of SP800-90B is available in draft form 
at [1] placing quite severe requirements on seed sources. After 
assessing the above mentioned IG discussion and in discussions with the 
German BSI, these governmental folks seem to interpret the concept of 
entropy as solely information theoretical entropy. They seem to 
disregard cryptographic strength added by a whitening function. 
Therefore, my gut feeling is that /dev/urandom is also questioned by 
SP800-90B -- but I have no proof at this point.

That focus on information theoretical entropy ultimately implies that 
only /dev/random can be used and /dev/urandom must not be used. 
Naturally, many people are not happy with that due to the blocking 
behavior. Especially in a headless environment like server systems, 
Linux is currently starved of entropy. This is even more a problem with 
virtualized environments. For example, some time ago we tried to obtain 
48 bytes out of /dev/random on a PPC system after the entropy pools 
where completely drained. Well, we got it after some 20 hours as the 
system was quiet (it may now be a bit better with the interrupt usage in 
current kernels, but still there will be a noticeable block).

Now, people will scream: those governmental guys sell snake oil and we 
should still use /dev/urandom. And I have to concur. Yet, I am just 
delivering the message. With the German BSI, the last discussion showed 
that they are open to allowing /dev/urandom based on extensive 
discussions. Yet, you have to make quite a stance to prove that.

>- addition of a patch to integrate the RNG into /dev/random as
>explained in appendix B.3 of [2], although the long-term goal of the
>RNG is rather the integration into the kernel crypto API when
>considering the Linux kernel as outlined in appendix B.1 of [2]

All in all, with the suggested CPU Jitter RNG, all of this would be an 
issue of the past on systems the init function considers appropriate -- 
in my tests more than 95% of all systems are accepted. When using my 
patch on /dev/random, dd shows a throughput of about 6kb/s on my system 
when pulling out megabytes of data. It will be slower on slower systems, 
but yet it will not block. Moreover when pulling data for seed which is 
only a few bytes at a time, the invocation of /dev/random will not show 
any noticeable delay.

PS: As I mentioned earlier, however, my long term goal would be that 
callers would disregard /dev/random entirely as it is a central entropy 
source and therefore the prime spot for attacks to reduce entropy. With 
the jitter RNG, even unprivileged user space can have its own instance 
of a seed source.


[1] http://csrc.nist.gov/publications/PubsDrafts.html#SP-800-90-B


Ciao
Stephan
-- 
| Cui bono? |

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/