Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp2163114pxb; Fri, 25 Mar 2022 12:12:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzhh90AHOPCkL3JGiakidS4MK0mGfyYTu71wUZq04XYauE9W4AcntGjcfcV60btVFzCd8V6 X-Received: by 2002:a17:903:230a:b0:154:6770:ea6d with SMTP id d10-20020a170903230a00b001546770ea6dmr13366312plh.139.1648235570774; Fri, 25 Mar 2022 12:12:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1648235570; cv=none; d=google.com; s=arc-20160816; b=a//zAElevaae7TXGDCEEU/xtpzlSlGiodwpSKL46fSx+Kp+XnDKq8ihktsjaJCwOUP 9nQPvEp+QG8qu2levW6zv+da7s9JwCTy3ecl5s9uk9TAhiVM/BgN3XMYRdLR1IFI3dlW 5CWye0ogrM7Rs5UP4r8J7esfVHWab06Rm51WExO+tZEQR80IdZvMUNQfDuzFuE96mOQX /pxniwmoLpsEgLjA+iy+wkQM7It383Wr+7MXWjkTrEWuTwoYUpyZcFyqhJIWqGBiPC9i 3b2iK/xYycNkCJap8QMKsdO+xr9/k+WcFd0HFJrsz+HzG1Eav9hDqD/pLgktTr3nF/YB gv/A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=Ej01NFpTjedG83PPgzpEgYm4GzAZz3+CReJiH7pWd+Q=; b=ERDXixPlQC2KwBxU9IUx6rLVNhHz5UtgXdLWQfMnKFIuRaYaDgibmlek2Stu2LfY52 chyXGIc8j0dWjgelEYu/767iApxgTcVViRqWtAPpVTvcp57evkw3JEGmvub8S3/9xATo +S+hULP+QlDWsx8Ol8c63PYmGAcXksmCOsZNSI8Tcjupuhb3kfWiK3cxl2al1ggMMmWu gqV/mzqym2VIUznaKGw2GE5wJDwvCN7/ymJhY9qnPXRskpE+ZU8aA+TKOz7KE/kfxh1N 78C1wrpDqpUWGSGbLDRtxtq4UFDFZwXg7kfP87r7wzuz3Yub0ItcQ83p/hozYqJy/k3d 98tQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id w13-20020a63474d000000b00384b2898db2si3219764pgk.434.2022.03.25.12.12.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 25 Mar 2022 12:12:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=mit.edu Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 77E6620DB03; Fri, 25 Mar 2022 11:17:23 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1357612AbiCYBrk (ORCPT + 99 others); Thu, 24 Mar 2022 21:47:40 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40376 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1355124AbiCYBri (ORCPT ); Thu, 24 Mar 2022 21:47:38 -0400 Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BFBEF5418E for ; Thu, 24 Mar 2022 18:46:01 -0700 (PDT) Received: from cwcc.thunk.org (pool-108-7-220-252.bstnma.fios.verizon.net [108.7.220.252]) (authenticated bits=0) (User authenticated as tytso@ATHENA.MIT.EDU) by outgoing.mit.edu (8.14.7/8.12.4) with ESMTP id 22P1jugn025011 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT); Thu, 24 Mar 2022 21:45:57 -0400 Received: by cwcc.thunk.org (Postfix, from userid 15806) id D25F515C0038; Thu, 24 Mar 2022 21:45:56 -0400 (EDT) Date: Thu, 24 Mar 2022 21:45:56 -0400 From: "Theodore Ts'o" To: Sandy Harris Cc: Linux Crypto Mailing List , "Jason A. Donenfeld" Subject: Re: Entropy as a Service? Message-ID: References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,RDNS_NONE, SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org On Thu, Mar 24, 2022 at 02:10:26PM +0800, Sandy Harris wrote: > NIST have a project called Entropy as a Service; the main goal seems > to be to provide adequate entropy even on IoT devices which may have > various limitations. > https://csrc.nist.gov/projects/entropy-as-a-service > > I have not yet looked at all the details but -- since Linux runs on > many IoT devices and on some of them random(4) encounters difficulties > -- I wonder to what extent this might be relevant for Linux. There is more detail about the proposal here: https://csrc.nist.gov/Projects/Entropy-as-a-Service/Architectures My initial reactions: 1) This is not a matter for the kernel, but for userspace to implement, since it involves multiple HTTP (yes, really, HTTP, not HTTPS) and NTP exchanges --- the crypto is done explicitly since presumably the designers didn't want to assume the IOT has a comment and bug-free(tm) implementation of HTTPS. Probably a good idea.... 2) The scheme only works if you assume that there is no collusion between the operators of the various remote servers used in the protocol. 3) NIST recognizes this, and has the following warning: WARNING:The resulting from Step 6 of the protocol random data shall not be used directly for constructing cryptographic keys with it or as a seed to a DRBG. Instead, known cryptographic mechanisms for combining multiple random data sources shall be used to mix random data obtained from multiple remote EaaS instances with local, with respect to the client system and the HRT device, randomness to create a seed for a NIST approved DRBG. Such cryptographic mechanisms are known in the trade as entropy/randomness extraction. It is strongly recommended at a minimum two independent EaaS instances located in different geopolitical locales be used as remote sources.... My conclusion is that it's not snake oil, but it's not a magic bullet, either. TNSTAAFL. - Ted