Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp5862745pxj; Wed, 23 Jun 2021 10:28:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyT6eCGANN/kuptGZI210x7V3DCjZbtPFW6CsQ6RR0hTQphDRqNnZN2Kkr2qB5af+lYoEEx X-Received: by 2002:a92:b00b:: with SMTP id x11mr411684ilh.130.1624469317595; Wed, 23 Jun 2021 10:28:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624469317; cv=none; d=google.com; s=arc-20160816; b=uXBI8NTGhHKLyZTFFhqRWl27adLaaRLk/HtPr57TBagAECAz7xBv7EwiJVOictSKYr Mmwz39ztppc2CG27zZDFbZUmWCVH1vUVnjQv1IQ11tGLw8/WMEojGzskXwWL051uiiW8 rOXoKurkS+XVVTD98rr+r+L6v3ljzMsIlCcZrxdmyeWjuy/uFWvvQN5P90T8n9ppQQMC ThjiD4e3J8AsgH4ny+9i2wf332HxeQc3B5opVsavBCBTQIAd7BRZyu0YXTDU58qJBLIa 39uPeZk/siU4Wn/DHqdxPO8WfvDJHXFL+6F4dUZMcOhmSs6q3Qm8mok3koh1P0fvHZo/ akdw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=d9TuVPZ0rF7UOU9FBUncImFHBMM9OrT22FVksrVNH28=; b=xrc0g4vXdE5GVUrPxGyX74Ngf/Ey5pElT6439VuhAtvRA3B3BhpX1D2UqTtGA8xKLQ lJ3SAyEU5w6kc/i4YG2z5cSuGntCi8bHOF+IRZC2Dd2R9lSbRLM5AVFmwHiVqi1AAoME V9CdvLHors5Rol/aQmTd7Bwew1IiFqavYisjMCg4eo8aYNf4mpqGG6VvWtjncydLSWRM c2AlrD/3svVICd+k+6SyfFfAseLjo07Mr4o4h9vUFTu2yM+BFaN0pkQY6H2Ahisd2r/L EEuFIcQso5XAKt5vZrudKpL5uaUOCl+dvdb9KrRDiKAArPIiGnkvEF5iA9tusyfjm065 yLYA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@chronox.de header.s=strato-dkim-0002 header.b=kQbYTHrt; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j1si527214jaq.89.2021.06.23.10.28.13; Wed, 23 Jun 2021 10:28:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@chronox.de header.s=strato-dkim-0002 header.b=kQbYTHrt; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229688AbhFWRaW (ORCPT + 99 others); Wed, 23 Jun 2021 13:30:22 -0400 Received: from mo4-p01-ob.smtp.rzone.de ([81.169.146.166]:28398 "EHLO mo4-p01-ob.smtp.rzone.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229660AbhFWRaW (ORCPT ); Wed, 23 Jun 2021 13:30:22 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; t=1624469275; s=strato-dkim-0002; d=chronox.de; h=References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From:Cc:Date: From:Subject:Sender; bh=d9TuVPZ0rF7UOU9FBUncImFHBMM9OrT22FVksrVNH28=; b=kQbYTHrtVA1PcBtqv8k9BakqwylVLXQFp5YIYYIHJYlmbFAyt0pVCV6I/WftuiTyWp CoSvn1Rkshyxo79rhWuKF2LSeBhVaHlV9PHhiBvd88IT9XAjKSeI4Mz7hmB+w+om3qI6 c0wGK+6ppTPLQZdTEU9x0aFsTkkBaZgbfjGDp9AudiVmlFyLwQESbiYx0moHvtU32edI tWvNo6HQEWaYPZZsbAeTYMcpM6oYwApLfdQK2uVNzs71UxJcgPHS9KAGkSUuaUJMH4D5 ENKt67VuS9LZocL7svC/A/IaMYFC/bZ7VbjkYDfUzfJ/yEJCn3I05jCz7eAvXgKDIW8G x0OQ== Authentication-Results: strato.com; dkim=none X-RZG-AUTH: ":P2ERcEykfu11Y98lp/T7+hdri+uKZK8TKWEqNyiHySGSa9k9xmwdNnzGHXPbJfScDuy6" X-RZG-CLASS-ID: mo00 Received: from positron.chronox.de by smtp.strato.de (RZmta 47.27.5 DYNA|AUTH) with ESMTPSA id L04113x5NHRs1oF (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256 bits)) (Client did not present a certificate); Wed, 23 Jun 2021 19:27:54 +0200 (CEST) From: Stephan =?ISO-8859-1?Q?M=FCller?= To: James Morris Cc: =?ISO-8859-1?Q?Micka=EBl_Sala=FCn?= , David Miller , Herbert Xu , John Haxby , Konrad Rzeszutek Wilk , Simo Sorce , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org, =?ISO-8859-1?Q?Micka=EBl_Sala=FCn?= , hpa@zytor.com, tytso@mit.edu Subject: Re: [PATCH v1] crypto: Make the DRBG compliant with NIST SP800-90A rev1 Date: Wed, 23 Jun 2021 19:27:53 +0200 Message-ID: <8811360.37IJKxs2K1@positron.chronox.de> In-Reply-To: References: <20210623120751.3033390-1-mic@digikod.net> <9dbbf4e751cb4953fe63079cdc917a0bb3a91670.camel@chronox.de> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org Am Mittwoch, 23. Juni 2021, 19:00:29 CEST schrieb James Morris: Hi James, > On Wed, 23 Jun 2021, Stephan Mueller wrote: > > > These changes replace the use of the Linux RNG with the Jitter RNG, > > > which is NIST SP800-90B compliant, to get a proper entropy input and a > > > nonce as defined by FIPS. > > > > Can you please help me understand what is missing in the current code > > which > > seemingly already has achieved this goal? > > The advice we have is that if an attacker knows the internal state of the > CPU, then the output of the Jitter RNG can be predicted. Thank you for the hint. And I think such goal is worthwhile (albeit I have to admit that if an attacker is able to gain the internal state of a CPU, I would assume we have more pressing problems that a bit of entropy). Anyways, the current code does: - in regular mode: seed the DRBG with 384 bits of data from get_random_bytes - in FIPS mode: seed the DRBG with 384 bits of data from get_random_bytes concatenated with 384 bits from the Jitter RNG If I understand the suggested changes right, I would see the following changes in the patch: - in the regular case: 640 bits from get_random_bytes - in FIPS mode: 256 bits of data from get_random_bytes concatenated with 384 bits from the Jitter RNG So, I am not fully sure what the benefit of the difference is: in FIPS mode (where the Jitter RNG is used), the amount of data pulled from get_random_bytes seems to be now reduced. Maybe I miss a point here, but I currently fail to understand why the changes should be an improvement compared to the current case. Ciao Stephan