Re: DRBG seeding

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Donnerstag, 16. April 2015, 22:36:17 schrieb Herbert Xu:

Hi Herbert,

>Hi Stephan:
>
>Currently DRBG is seeded with entropy from get_random_bytes.
>However, get_random_bytes is basically the kernel version of
>/dev/urandom.  So there is no guarantee that you're actually
>getting the amount of entropy required.
>
>Are you sure this is compliant with the DRBG specification?

I do not see a specific requirement in SP800-90A about the quality of the 
noise source.

But SP800-90B specifies tests and assessments about the quality. When applying 
that specification, I applied some initial assessments: /dev/urandom complies 
with SP800-90B when disregarding the very early boot stage (i.e. when assuming 
that the input_pool received sufficient entropy).

The only shaky time is the boot time until the nonblocking_pool/input_pool has 
been sufficiently seeded.

That said, I already developed an in-kernel version of /dev/random. I sent the 
patch to LKML some half year ago. If I understood Ted Tso right, there is no 
general objection against adding that in-kernel interface. See [1] for the 
thread.

Furthermore, I already started working on updating the DRBG to use that in-
kernel /dev/random interface.

Shall I pursue that work in earnest now?

[1] https://lkml.org/lkml/2014/5/11/276


Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux