[cryptography] Quality of HAVEGE algorithm for entropy?

Joachim Strömbergson Joachim at Strombergson.com
Thu Nov 28 04:01:06 EST 2013


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Aloha!

coderman wrote:
> On Tue, Nov 26, 2013 at 10:09 AM, Joachim Strömbergson 
> <Joachim at strombergson.com> wrote:
>> ... I have concerns though on embedded SSL stacks that use Havege
>> as entropy source on MCUs such as AVR32 and ARM. ... On an
>> x86-based server you can use Havege, but use it to feed 
>> /dev/random, not as a RNG directly. The same goes for Jytter.
> 
> 
> good points!
> 
> haveged should work fine on StrongArm, A8, A9, Xscale, anything with
> a high res timer like ARM Cycle Counter (in place of TSC).
> 
> older ARM processors and x86 without high res TSC (pre-pentium?)
> will have trouble.

Note that Havege is based on the assumption that instruction execution
time varies and can be forced to vary as much as possible. On
single-issue, RISC architectures with no or simple (such as SW
controlled) cache memories you basically will have to hit main store in
order to get a lot of variance. Then you also need a cycle timer, high
res timer to be able to measure the variance.

Another thing to note is that RDTSC is one of the instructions that
VM-systems can (and will) simulate. This means that the source for
Havege entropy will be synthetic and arbitrary from physical event.

- -- 
Med vänlig hälsning, Yours

Joachim Strömbergson - Alltid i harmonisk svängning.
========================================================================
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.22 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAlKXBlIACgkQZoPr8HT30QEqcwCfS1Ux5rhm5QBHbnqr2gThKoTy
x7AAoIw4AKhWBNLUMJSEDlD0KHsLjxC+
=Vm3Q
-----END PGP SIGNATURE-----


More information about the cryptography mailing list