Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp2814712pxv; Sun, 27 Jun 2021 09:37:24 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxUtcg2rCYhKqBaH5V68y3qVNgTKldHw5Pj3JyCoF4zup18m3UC1VXyL+8ZGkj6V4Q8qCyr X-Received: by 2002:a17:906:7004:: with SMTP id n4mr13122752ejj.524.1624811844559; Sun, 27 Jun 2021 09:37:24 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624811844; cv=none; d=google.com; s=arc-20160816; b=YLks/hSSscS8ZRdrQbUIK+d8YPS6H/LBnUmtGudlTg82T9rP63ebgJHVIRS+bUsvxJ r939xznDQ+QO6qxG9XoQ+RHPXs5SohiYrSAW0agU3lz6YBrNLMk3mMWhbpe6U0Igt5dw O7Q98w5xTbQfrtDQlDKX10jQr/XRsm1TvJn3cHIqi/TbuqgyeUmJ0yCglDtO+8usghLY an4Or+YqF54vand1M+jLNVtNh3WXgDd4IIyug1bmj9Av1E8QeHshIdKFGec0gVYAys8d V8GA2tLkBMctV4nqiaC7I++750AYEcCSicrX+WBKXb90ce3WLChh7QtWFS7CJzE6mhbk q+Ew== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:to:subject:message-id :date:from:in-reply-to:references:mime-version:dkim-signature; bh=omimQxIzOAwhYkeMRubnROCdKPxWEo2EeSbQ3aFOPYs=; b=pWPx9pwfun2s1eoG3fEQTTCG9WZ7drmha1sUs873i55OZoefhdUYI0nuflhIUVs86X B/UMk7OvL5JxXBuuDD0IC1SaFgVhzpa4qxl3zpHrIrMIyv8v/MAoKdrraEPsFVCHZ81I 00KHNo6NGFvXLdUsiK7T8zicpfnMza8PL47HDOYuBHHiaDvBdL+74dPaNRO1vEGTFawf cU6LzhthLN9PmMXtkqQqEeSYF2o3Li6KvFvLQF2FPA54x0x1uNOvnidoY53m1kRxicJ/ itigiN6P4pLlVi22yU9oGiDfIcBvI+uwUs1klDwck7cV/nGPXa+rvRnUZ8Mxkb92x2T2 0d6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ib.tc header.s=google header.b=SRcB0HiW; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id em22si12222169ejc.687.2021.06.27.09.36.42; Sun, 27 Jun 2021 09:37:24 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ib.tc header.s=google header.b=SRcB0HiW; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230315AbhF0Qi1 (ORCPT + 99 others); Sun, 27 Jun 2021 12:38:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59174 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230309AbhF0Qi0 (ORCPT ); Sun, 27 Jun 2021 12:38:26 -0400 Received: from mail-wm1-x332.google.com (mail-wm1-x332.google.com [IPv6:2a00:1450:4864:20::332]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4A722C061574 for ; Sun, 27 Jun 2021 09:36:02 -0700 (PDT) Received: by mail-wm1-x332.google.com with SMTP id u20so4411523wmq.4 for ; Sun, 27 Jun 2021 09:36:02 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ib.tc; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :content-transfer-encoding; bh=omimQxIzOAwhYkeMRubnROCdKPxWEo2EeSbQ3aFOPYs=; b=SRcB0HiWAFayqaSdVoP0s2EJBzWf+dFcE3HNr/j0q87Zj9O+aGGMOMw1iHbuoq7ibi /A1YrLRtN88xCQC76USOjH6SMwDxfp4ewFQGMfW/scb8V4X2nQHuRIhJos14gWtEEjRE G4XdVcgDn2LhmJsogq/j0IhfnCvjTKC45Ap7A7wSsdqcApH6NPVPHUxYlEJtppDp3uvm ZtarmzDO5wtkou+YSEiLZZqKEo6TB13+F0+z4mnilnG+wC+8UveyN9wb81y9RHj2f2uR llmUsYx5K7RrOPm7r2kkgIXxeCgb84ruSGjqcSF58oWytZKHeJfswIf4I5GsleElr2Jv okbg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:content-transfer-encoding; bh=omimQxIzOAwhYkeMRubnROCdKPxWEo2EeSbQ3aFOPYs=; b=juYgLt9NKBP65zeqru6nA620dPzg7bV7dAYsoDz191dpWB/Ykg7/Xww9vz0Dfr0u0I aRi/N62hdIy/vTRyUwiB8FAGmAo3MqAhPvX+LDF4F48sCXHM2YTaj6JTN34yINIvEo/+ tyXnOraW2GL/cgWrCZePduhgRggDVN58pNR9TMBLxU+weU52yLW8XX6mVrxrl+LvXfHc GvqJyO8vSPHHNMWmr2jlahh3BOVmF5iJ3TYAnaBUkvKYX3bgzpjIzOXFX/Cf4f5JIMo1 txqf//YdlVMprBRmLD+gPWVvfeY0+ibRZcUyk/6JoIiSMBN/fJDIMFe5llsCnGg7wyRV idfQ== X-Gm-Message-State: AOAM531kqEs7OSJKK7616T9pcAN4sHApxPVQV9UmZqCjVlnht0/SEz1f 0Qy9R5m1cf/YLdMICoTdCSjmIxr3fn3C0SD6bXmeQ6LUaWuAAQ== X-Received: by 2002:a05:600c:2512:: with SMTP id d18mr22309346wma.85.1624811760467; Sun, 27 Jun 2021 09:36:00 -0700 (PDT) MIME-Version: 1.0 References: In-Reply-To: From: Mike Brooks Date: Sun, 27 Jun 2021 09:35:46 -0700 Message-ID: Subject: Re: Lockless /dev/random - Performance/Security/Stability improvement To: Linux Crypto Mailing List Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org I apologize for my late reply - an erroneous email filter hid these messages from me. I'd like to take the time to thank you for all of your responses and let me address any of the questions that were brought up on this thread. To reply to Sandy Harris. The code on github is a suggested /dev/random and /dev/urandom replacement and it has some interesting tradeoffs from the incumbent implementation. There are always rooms for improvements, and I am exploring what it means to have a lockless entropy store for Linux. But you bring up a very important question - is AES required? Or why not use a hand-crafted routine to access bits. There are two responses to this. The first being evident by the use of dieharder. A naive method of shifting bits to pull out data from the entropy pool will be detected with the 'dieharder' test suite. The implementation on github will write a sample file, and any assessors that pull data from the entropy pool need to be susceptible to an avalanche. We need a method that is quantifiable, and one that is widely accepted as being ideal. So could a fast, but less than ideal hash function like sha1 be used? Absolutely, but AES-NI is still faster on platforms that enable it... And this is where Stephan M=C3=BCller's post comes into play. Given the diversity of hardware platforms, and the varying levels of dependency on /dev/random - there is a need on behalf of admins to tailor the performance of this interface as it impacts *every* syscall because each interrupt is an entropy source. the base default should be good enough for anyone, I agree strongly with your view on a secure by default system. Consider an HFT trading bot - you don't want to penalize any interrupt. It would be great to have a NIST-Compliant Random Number Generator that has this interrupt-taxation as optional - but disabling it shouldn't cause anyone to be compromised, but if you are paranoid then additional sources can be added as further hardening. Ultimately I'd like to make a patch file for this implementation and run benchmarks to show the efficacy of the design. Thank you all for your feedback, and I'm happy to consider alternate lockless-designs. Best regards, Michael Brooks On Sat, Jun 26, 2021 at 1:24 PM Mike Brooks wrote: > > I apologize for my late reply - an erroneous email filter hid these messa= ges from me. > > I'd like to take the time to thank you for all of your responses and let = me address any of the questions that were brought up on this thread. > > To reply to Sandy Harris. The code on github is a suggested /dev/random = and /dev/urandom replacement and it has some interesting tradeoffs from the= incumbent implementation. There are always rooms for improvements, and I = am exploring what it means to have a lockless entropy store for Linux. > > But you bring up a very important question - is AES required? Or why not= use a hand-crafted routine to access bits. There are two responses to thi= s. The first being evident by the use of dieharder. A naive method of shi= fting bits to pull out data from the entropy pool will be detected with the= 'dieharder' test suite. The implementation on github will write a sample= file, and any assessors that pull data from the entropy pool need to be su= sceptible to an avalanche. We need a method that is quantifiable, and one t= hat is widely accepted as being ideal. So could a fast, but less than ideal= hash function like sha1 be used? Absolutely, but AES-NI is still faster = on platforms that enable it... > > And this is where Stephan M=C3=BCller's post comes into play. Given the d= iversity of hardware platforms, and the varying levels of dependency on /de= v/random - there is a need on behalf of admins to tailor the performance o= f this interface as it impacts *every* syscall because each interrupt is an= entropy source. the base default should be good enough for anyone, I agre= e strongly with your view on a secure by default system. > > Consider an HFT trading bot - you don't want to penalize any interrupt. = It would be great to have a NIST-Compliant Random Number Generator that has= this interrupt-taxation as optional - but disabling it shouldn't cause any= one to be compromised, but if you are paranoid then additional sources can = be added as further hardening. > > Ultimately I'd like to make a patch file for this implementation and run = benchmarks to show the efficacy of the design. Thank you all for your feed= back, and I'm happy to consider alternate lockless-designs. > > Best regards, > Michael Brooks > > On Fri, Jun 11, 2021 at 2:44 AM Sandy Harris wro= te: >> >> Sandy Harris wrote: >> >> > The basic ideas here look good to me; I will look at details later. >> >> Looking now, finding some things questionable. >> >> Your doc has: >> >> " /dev/random needs to be fast, and in the past it relied on using a >> cryptographic primitive for expansion of PNRG to fill a given request >> >> " urandom on the other hand uses a cryptographic primitive to compact >> rather than expand, >> >> This does not seem coherent to me & as far as I can tell, it is wrong as= well. >> /dev/random neither uses a PRNG nor does expansion. >> /dev/urandom does both, but you seem to be saying the opposite. >> >> " We can assume AES preserves confidentiality... >> >> That is a reasonable assumption & it does make the design easier, but >> is it necessary? If I understood some of Ted's writing correctly, one >> of his design goals was not to have to trust the crypto too much. It >> seems to me that is a worthy goal. One of John Denker's papers has >> some quite nice stuff about using a hash function to compress input >> data while preserving entropy. It needs only quite weak assumptions >> about the hash. >> https://www.av8n.com/turbid/ >> >> You want to use AES in OFB mode. Why? The existing driver uses ChaCha, >> I think mainly because it is faster. >> >> The classic analysis of how to use a block cipher to build a hash is >> Preneel et al. >> https://link.springer.com/content/pdf/10.1007%2F3-540-48329-2_31.pdf >> As I recall, it examines 64 possibilities & finds only 9 are secure. I >> do not know if OFB, used as you propose, is one of those. Do you?