Re: Intel 810 Random Number Generator

From: H. Peter Anvin (hpa@transmeta.com)
Date: Fri Jan 28 2000 - 04:43:03 EST


Pavel Machek wrote:
>
> Hi!
>
> > > Very easy to work around. A keyboard that's being pounded on
> > > generates:
> > >
> > > MAKE BREAK MAKE BREAK MAKE BREAK MAKE BREAK
> > >
> > > A keyboard that's autorepeating generates:
> > >
> > > MAKE MAKE MAKE MAKE MAKE MAKE MAKE MAKE MAKE
> > >
> > > Therefore, you ignore a MAKE signal from any key that you already know
> > > is down.
> >
> > PGP did this by ignoring two strokes from one key in a row, so you had to
> > alternate between at least two keys.
>
> Yes, but do you think me alternating between two keys at fastest speed
> possible is giving much random data? I just timed myself, and it gives
> something like 9chars/second. Thats well around jiffie
> resolution. [ok, on pentium+ rng uses rdtsc, but no such thing is done
> for other architectures]
>
> Should we put "while sitting on linux machine do NOT press
> two-key-sequence at fastest possible rate, because it could drain all
> randomness out of entropy pool"?
>
> Certainly not.
>

Of course not. Instead you need to have a reasonable function for
determine how much randomness you can expect. Perhaps you need to have
a trigger level: don't add randomness unless the prevous keystroke was
at least N ms separated, unless we have a high-resolution counter.

Why don't we use the TSC on other architectures that have them, e.g.
Alpha?

>
> Sources we use for gaining randomness are not much random at all, so I
> think adding i820 [which was _designed_ as random generator, unlike
> keyboard, mouse, and network card!] as yet another randomness source
> should be safe.
>

Yes, this is totally the right thing to do.

>
> People seem to care for NSA adding hooks. But it would be certainly
> easier to add other hooks [like switch me to ring0 when I do this 8
> byte sequence of instructions]. People seem to run statistic tests on
> poor i820 rng, but noone runs the same test on keyboard...
>

Note that if you're using an i820 you're using an x86, and the x86 has
the TSC so that sampling events can derive quite real randomness,
because the timing resolution is so high.

        -hpa

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Mon Jan 31 2000 - 21:00:20 EST