Re: [RFC][PATCH] Entropy generator with 100 kB/s throughput

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Feb 10, 2013 at 01:46:18PM +0100, Stephan Mueller wrote:
> 
> However, the CPU has timing jitter in the execution of instruction. And
> I try to harvest that jitter. The good thing is that this jitter is
> always present and can be harvested on demand.

How do you know, though, that this is what you are harvesting?
Depending on the hardware and CPU that you are using, CLOCK_REALTIME
might be quantized in no more than 4ms intervals.  Even on systems
with a TSC register, the TSC register has all sorts of effects which
can limit its granularity, and in fact is generally quantized as a
multiple of the bus cycles.  Intel states that the quantization
effects mean that for timing purposes, you can't really accurately
time anything under 1000 cycles.  So at that point, you're not
measuring CPU timing jitter, but something else; perhaps the frequency
beats between the CPU clock and the bus clock.  Also, consider what
might happen if you are booted on a VM; at that point, I can pretty
much guarantee that whatever you are measuring, it will almost
certainly _not_ be from CPU timer jitter.  It may be some very
hard-to-predict pattern generated from the timing interactions of the
host OS scheduler and the guest OS's scheduler, but that does _not_
necessarily mean that there is true randominess which you are getting.

After all, if I give you a sequence of numbers which is generated by
encrypting a counter with a secret AES key which only I know, that
does _not_ mean that you have a strong cryptographic random number
generator.  If you use that sequence to generate session keys, I will
be able to break all of your encrypted traffic.  The mere fact that
the sequence of numbers is one which passes pretty much all RNG tests,
whether they be FIPS 140, or the BSI tests, or the dieharder tests,
and just because _you_ can't figure out the pattern, does not mean
that therefore the sequence is random.

> I am not sure how that applies to the suggested code. The entropy source
> just generates raw entropy without using a hash. 

And what's your proof that your entropy source really is an entropy
source?

After all, I can claim that the dice rolls are random based on the
chaotic air movements influencing how the die spins through the air.
The fact that there are chaotic air movements isn't the question.  The
question is whether or not the die is perfectly balanced.  If the die
is weighted unevenly, the fact that there are all sorts of subtle
chaotic effects which could be influencing the roll of the dice is
utterly irrelevant.

Similarly, if the time stamp counter, even though supposedly it is
giving you granularity measured in nanoseconds, is in fact getting
granularized somewhere in the hardware in in the thousands of cycles,
even if there are apparently many digits of precision, does not mean
that you actually have that many significant digits.

Regards,

						- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux