Re: [PATCH v3 0/8] Rework random blocking

From: Willy Tarreau
Date: Sat Dec 28 2019 - 02:21:35 EST


On Fri, Dec 27, 2019 at 05:08:57PM -0500, Theodore Y. Ts'o wrote:
> > Or maybe the terminology of TRNG (i.e. "true") is offending. I have no concern
> > to have it replaced with some other terminology. Yet, I was just taking one
> > well-defined term.
>
> But my point is that it *isn't* a well defined term, precisely because
> it's completely unclear what application programmer can expect when
> they try to use some hypothetical GRANDOM_TRUERANDOM flag. What does
> that *mean*?

I've also seen this term used and abused too many times and this bothers
me because the expectations around it are the cause of the current
situation.

Randomness doesn't exist by itself. It's what characterizes the
unpredictable nature of something. I.e. our inability to model it and
guess what will happen based on what we know. 200 years ago we'd have
considered the weather as a true random source. Now we have super
computers making this moot. In the current state of art we consider
that cesium decay or tunnel noise are unpredictable and excellent
random sources, until one day we figure that magnetic fields,
temperature or gamma rays strongly affect them.

So in practice we should only talk about the complexity of the model we
rely on. The more complex it is (i.e. the most independent variables it
relies on), the less predictable it is and the more random it is. Jitter
entropy and RAM contents are good examples of this: they may be highly
unpredictable on some platforms and almost constant on others. And for
sure, software cannot fix this, it can at best make the output *look*
like it's unpredictable. Once someone can model all variables of the
environment this is not true random anymore.

That's why the best we can do is to combine as many sources as possible
hoping that nobody can model enough of them, and produce an output which
never ever reveals these sources' internal states. *This* is what software
can and must do. And once the initial entropy is hidden enough and there
is enough of it, there's no reason for it to ever get depleted if these
initial bits cannot be guessed nor brute-forced.

And quite frankly I'd rather just speak about the diversity of sources
than "true" randomness. Just asking a user to press 10 random keys and
to enter a random word for some operations can break many assumptions
an attacker could have about the environment, by just adding one extra,
less controllable, source.

Just my two cents,
Willy