Re: [PATCH RFC] crypto: drbg - lower reseed threshold if seed source is degraded

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sun, Jun 07, 2015 at 12:04:17AM +0200, Stephan Mueller wrote:
> Hi,
> 
> may I ask for review of the following patch. I would like particular feedback
> to the initial threshold value, which the patch currently sets to 50 (requests
> by a caller to the DRBG for random numbers). Thank you.
> 
> I am not sure about this value because there are two conflicting issues
> revolving around this value:
> 
> 1. We have to ensure that the DRBG has a sufficiently entropic internal state.
> That would mean, I should set that value as low as possible.
> 
> 2. This is the more problematic one: when considering information theory, if
> you draw from a DRNG (which the nonblocking pool is in the worst case -- and
> the boot time discussed below is our worst case) that is not fully seeded, you
> reduce the entropy in that DRNG (contrary to conventional wisdom). For the
> discussion, let us assume the worst case that there is coming in one bit of
> entropy at a time into the discussed DRNG. In between the addition of each bit
> of entropy, an attacker can access the DRNG (i.e. the SHA1 output of the
> nonblocking_pool). When only one bit of entropy is added to the
> nonblocking_pool, the attack complexity would be 1 bit. When an attacker would
> access the nonblocking_pool after each received bit, in the worst case, the
> attack complexity is not 2**128 but rather 256 (i.e. 1 bit for each individual
> attack between the addition of one new bit of entropy). So, the total attack
> complexity is the sum of the individual attack complexities (i.e. the
> complexity added after the previous attack is performed). This issue is
> aggravated by the nonblocking pool as the entropy counter used for declaring
> that the threshold defining the that nonblocking pool is initialized is never
> decreased by requests, but only increased. So, with that issue in mind, we
> want to set the reseed threshold of the DRBG to rather a higher level.
> 
> Thus I am struggling to find the right(TM) initial value for the reseeding
> threshold.
> 
> Or maybe you can tell me that there is no need for the patch to begin with as
> the initial seed plus the async request to the nonblocking pool is good as is.
> :-)
> 
> Note, this patch is on top of the patch updating the async reseeding sent out 
> yesterday.

Well it makes perfect sense if you don't trust Jitter RNG to return
the amount of entropy it claims to return :)

Anyway, I'm happy to apply this.  However, the patch is corrupted
so please resend it without the white-space damage/line wrapping.

Thanks,
-- 
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux