[cryptography] on using RDRAND [was: Entropy improvement: haveged + rngd together?]
smueller at chronox.de
Tue Dec 3 01:48:34 EST 2013
Am Sonntag, 1. Dezember 2013, 20:27:34 schrieb dj at deadhat.com:
> I would not characterize the Linux RNG issue as "fully resolved" in any
> way. Until every CPU maker includes a source of entropy by design (instead
> of by accident) and the Kernel gets off its high horse and chooses to use
> them and the kernel gets pre-configured in distros with sane parameters,
> crypto software will continue to fail from low entropy situations.
I would suggest you reconsider your last statement. As the noise source
offered by Intel or any other silicon is a black box by its nature, not
everybody is comfortable in using it, considering that the noise sources are
the very fundament the entire cryptography rests on. Thus, using RDRAND or any
other black box noise source per default in the kernel is just wrong.
And as long as even all aspects of the design are not published, being
cautious about a noise source is good. I wish that Intel would release the
detailed scematics and their analysis/testing of the noise source
implementation. As a hardware RNG based on flip-flops or oscillators is not
really rocket science, I do not understand why this information is held back.
Moreover, it would have helped if access to the raw noise source would have
been given for re-verifying the characteristics of the noise source.
The only acceptable way IMHO that works with all is: choice. And that choice
is given to us via rngd. Ok, you may move the choice to kernel land, but
still, it shall stay as a choice.
| Cui bono? |
More information about the cryptography