[cryptography] Quality of HAVEGE algorithm for entropy?
Joachim at Strombergson.com
Thu Nov 28 04:01:06 EST 2013
-----BEGIN PGP SIGNED MESSAGE-----
> On Tue, Nov 26, 2013 at 10:09 AM, Joachim Strömbergson
> <Joachim at strombergson.com> wrote:
>> ... I have concerns though on embedded SSL stacks that use Havege
>> as entropy source on MCUs such as AVR32 and ARM. ... On an
>> x86-based server you can use Havege, but use it to feed
>> /dev/random, not as a RNG directly. The same goes for Jytter.
> good points!
> haveged should work fine on StrongArm, A8, A9, Xscale, anything with
> a high res timer like ARM Cycle Counter (in place of TSC).
> older ARM processors and x86 without high res TSC (pre-pentium?)
> will have trouble.
Note that Havege is based on the assumption that instruction execution
time varies and can be forced to vary as much as possible. On
single-issue, RISC architectures with no or simple (such as SW
controlled) cache memories you basically will have to hit main store in
order to get a lot of variance. Then you also need a cycle timer, high
res timer to be able to measure the variance.
Another thing to note is that RDTSC is one of the instructions that
VM-systems can (and will) simulate. This means that the source for
Havege entropy will be synthetic and arbitrary from physical event.
Med vänlig hälsning, Yours
Joachim Strömbergson - Alltid i harmonisk svängning.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the cryptography