Re: [PATCH] random: add blocking facility to urandom

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thursday, September 08, 2011 10:21:13 PM Sandy Harris wrote:
> > The system being low on entropy is another problem that should be
> > addressed. For our purposes, we cannot say take it from TPM or RDRND or
> > any plugin board. We have to have the mathematical analysis that goes
> > with it, we need to know where the entropy comes from, and a worst case
> > entropy estimation.
> 
> Much of that is in the driver code's comments or previous email
> threads. For example,
> this thread cover many of the issues:
> http://yarchive.net/comp/linux/dev_random.html
> There are plenty of others as well.
> 
> > It has to be documented in detail.
> 
> Yes. But apart from code comments, what documentation
> are we talking about? Googling for /dev/random on tldp.org
> turns up nothing that treats this in any detail.

Thanks for the reply. I see that you are trying to be helpful. But I think you 
misunderstand what I was trying to say or maybe I was not entirely clear. We have the 
correct analysis for the kernel and it does indeed pass FIPS-140, unaided. We know the 
entropy comes from what the minimum entropy estimation is, and quality. (The only 
issue is guaranteeing that any seed source must also include entropy.) 

But what I was trying to say is that we can't depend on these supplemental hardware 
devices like TPM because we don't have access to the proprietary technical details 
that would be necessary to supplement the analysis. And when it comes to TPM chips, I 
bet each chip has different details and entropy sources and entropy estimations and 
rates. Those details we can't get at, so we can't solve the problem by including that 
hardware. That is the point I was trying to make. :)

Thanks,
-Steve
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux