Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Sun, 17 Dec 2000 19:49:21 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Sun, 17 Dec 2000 19:49:11 -0500 Received: from ftp.webmaster.com ([209.10.218.74]:59123 "EHLO shell.webmaster.com") by vger.kernel.org with ESMTP id ; Sun, 17 Dec 2000 19:48:58 -0500 From: "David Schwartz" To: "Karel Kulhavy" , Subject: RE: /dev/random: really secure? Date: Sun, 17 Dec 2000 16:18:31 -0800 Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Priority: 3 (Normal) X-MSMail-Priority: Normal X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0) X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4133.2400 In-Reply-To: <20001217225057.A8897@atrey.karlin.mff.cuni.cz> Importance: Normal Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org > I noticed peculiarities in the behaviour of the delta-delta-3 system for > entropy estimation in the random.c code./ When I hold right alt > or control, I > get about 8 bits of entropy per repeat fro the /dev/random which is > overestimated. I think the real entropy is 0 bits because it is absolutely > deterministic when the interrupt comes. Am I right or is there any hidden > magic source of entropy in this case? There are hidden sources of entropy. One is clock skew between the keyboard processor's clock, the keyboard controller's clock, and the CPU clock generator's PLL. Another is data motion between the CPU cache and main memory as various interupt service routines are executed interspersed with other system activity. > Right shift, left alt, ctrl and shift make 4 bits per repeat. Is greater > randomness being expected from the keys that return 8 bits? The code does its best to estimate how much actual entropy it is gathering. > When I have a server where n blobk read, keyboard and mouse events occur > (everything is cached within huge amount of semiconductor RAM), > the /dev/random > depends solely on the network packets. These can be manipulated and their > leading edge precisely sniffed. I think here exists a severe risk of > compromise. Am I right? Nope. There is no way to sniff their leading edge accurate to a billionth of a second. If you have a 1Ghz Pentium 3, that's the accuracy you'd need. And you'd need to know that relative to the CPU clock, which comes from an uncompensated quartz crystal oscillator fed into a noisy multiplier. Top that off with variations in the oscillator frequency due to microscopic zone temperature variations. There is no known method to predict these numbers. DS - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/