Re: [PATCH RFC] crypto: drbg - lower reseed threshold if seed source is degraded
From: Herbert Xu
Date: Tue Jun 09 2015 - 10:25:45 EST
On Sun, Jun 07, 2015 at 12:04:17AM +0200, Stephan Mueller wrote:
> Hi,
>
> may I ask for review of the following patch. I would like particular feedback
> to the initial threshold value, which the patch currently sets to 50 (requests
> by a caller to the DRBG for random numbers). Thank you.
>
> I am not sure about this value because there are two conflicting issues
> revolving around this value:
>
> 1. We have to ensure that the DRBG has a sufficiently entropic internal state.
> That would mean, I should set that value as low as possible.
>
> 2. This is the more problematic one: when considering information theory, if
> you draw from a DRNG (which the nonblocking pool is in the worst case -- and
> the boot time discussed below is our worst case) that is not fully seeded, you
> reduce the entropy in that DRNG (contrary to conventional wisdom). For the
> discussion, let us assume the worst case that there is coming in one bit of
> entropy at a time into the discussed DRNG. In between the addition of each bit
> of entropy, an attacker can access the DRNG (i.e. the SHA1 output of the
> nonblocking_pool). When only one bit of entropy is added to the
> nonblocking_pool, the attack complexity would be 1 bit. When an attacker would
> access the nonblocking_pool after each received bit, in the worst case, the
> attack complexity is not 2**128 but rather 256 (i.e. 1 bit for each individual
> attack between the addition of one new bit of entropy). So, the total attack
> complexity is the sum of the individual attack complexities (i.e. the
> complexity added after the previous attack is performed). This issue is
> aggravated by the nonblocking pool as the entropy counter used for declaring
> that the threshold defining the that nonblocking pool is initialized is never
> decreased by requests, but only increased. So, with that issue in mind, we
> want to set the reseed threshold of the DRBG to rather a higher level.
>
> Thus I am struggling to find the right(TM) initial value for the reseeding
> threshold.
>
> Or maybe you can tell me that there is no need for the patch to begin with as
> the initial seed plus the async request to the nonblocking pool is good as is.
> :-)
>
> Note, this patch is on top of the patch updating the async reseeding sent out
> yesterday.
Well it makes perfect sense if you don't trust Jitter RNG to return
the amount of entropy it claims to return :)
Anyway, I'm happy to apply this. However, the patch is corrupted
so please resend it without the white-space damage/line wrapping.
Thanks,
--
Email: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/