Re: regarding the changes to kernel entropy gathering

To: kre%munnari.OZ.AU@localhost
Subject: Re: regarding the changes to kernel entropy gathering
From: Havard Eidnes <he%NetBSD.org@localhost>
Date: Sun, 04 Apr 2021 21:14:31 +0200 (CEST)

> Is that file encrypted?

As I understand it, no.

> I think I'd prefer possibly insecure, but difficult to obtain from outside
> like disk drive interrupt timing low order bits than that.   Regardless of
> how unproven that method might be.

Do note, the existing randomness sources are still being sampled and
mixed into the pool, so even if the starting state from the saved
entropy may be known (by violating the security of the storage),
it's still not possible to predict the complete stream of randomness
data once the system has seen a bit of uptime (given that there are
actual other sources of (unverified) entropy which aren't all of too
low quality).

However, in the new scheme of things, because most of the
traditional sources have unknown quality, and we have no reliable
method to estimate how much "actual entropy" those sources
provide, they no longer count towards the *estimate* of what is
now a lower bound on the "real" entropy available in the pool.

> Lastly, why would anyone presume that RDRAND generates less predictable
> bits (less predictable to someone who knows how it works) than any of
> the other methods that are used.

Looking at

  https://en.wikipedia.org/wiki/RDRAND

and the reference [3] at

  http://software.intel.com/sites/default/files/m/d/4/1/d/8/441_Intel_R__DRNG_Software_Implementation_Guide_final_Aug7.pdf

reveals that the on-chip entropy source samples thermal noise on
the chip, ref. page 12 where it says:

   The Entropy Source runs asynchronously on a self-timed circuit
   and uses thermal noise within the silicon to output a random
   stream of bits at the rate of 3GHz.

That bitstream is then fed through a "AES-CBC-MAC" based
conditioner and an AES-CTR based deterministic random bit
generator, before the result is given to the user via RDRAND.

If I'm not very much mistaken, thermal noise is one of the well-
known physical sources of actual entropy.

Besides, the implementation has been thoroughly vetted.  E.g. the
reference [7] from the wikipedia article states in the conclusion on
page 20

   Overall, the Ivy Bridge RNG is a robust design with a large
   margin of safety that ensures good random data is generated even
   if the Entropy Source is not operating as well as predicted.

Personally, I as a non-expert can't find anything which seems
overly worrisome with RDRAND.

Best regards,

- Håvard

Follow-Ups:
- Re: regarding the changes to kernel entropy gathering
  - From: Brian Buhrow
- Re: regarding the changes to kernel entropy gathering
  - From: Greg A. Woods

References:
- Re: regarding the changes to kernel entropy gathering
  - From: Taylor R Campbell
- Re: regarding the changes to kernel entropy gathering
  - From: Robert Elz

Prev by Date: Re: regarding the changes to kernel entropy gathering
Next by Date: Re: regarding the changes to kernel entropy gathering
Previous by Thread: Re: regarding the changes to kernel entropy gathering
Next by Thread: Re: regarding the changes to kernel entropy gathering
Indexes:

Home | Main Index | Thread Index | Old Index