Intel 810 Random Number Generator
H. Peter Anvin
hpa en transmeta.com
Vie Ene 28 06:06:57 CST 2000
Pavel Machek wrote:
>
> Hi!
>
> > > Very easy to work around. A keyboard that's being pounded on
> > > generates:
> > >
> > > MAKE BREAK MAKE BREAK MAKE BREAK MAKE BREAK
> > >
> > > A keyboard that's autorepeating generates:
> > >
> > > MAKE MAKE MAKE MAKE MAKE MAKE MAKE MAKE MAKE
> > >
> > > Therefore, you ignore a MAKE signal from any key that you already know
> > > is down.
> >
> > PGP did this by ignoring two strokes from one key in a row, so you had to
> > alternate between at least two keys.
>
> Yes, but do you think me alternating between two keys at fastest speed
> possible is giving much random data? I just timed myself, and it gives
> something like 9chars/second. Thats well around jiffie
> resolution. [ok, on pentium+ rng uses rdtsc, but no such thing is done
> for other architectures]
>
> Should we put "while sitting on linux machine do NOT press
> two-key-sequence at fastest possible rate, because it could drain all
> randomness out of entropy pool"?
>
> Certainly not.
>
Of course not. Instead you need to have a reasonable function for
determine how much randomness you can expect. Perhaps you need to have
a trigger level: don't add randomness unless the prevous keystroke was
at least N ms separated, unless we have a high-resolution counter.
Why don't we use the TSC on other architectures that have them, e.g.
Alpha?
>
> Sources we use for gaining randomness are not much random at all, so I
> think adding i820 [which was _designed_ as random generator, unlike
> keyboard, mouse, and network card!] as yet another randomness source
> should be safe.
>
Yes, this is totally the right thing to do.
>
> People seem to care for NSA adding hooks. But it would be certainly
> easier to add other hooks [like switch me to ring0 when I do this 8
> byte sequence of instructions]. People seem to run statistic tests on
> poor i820 rng, but noone runs the same test on keyboard...
>
Note that if you're using an i820 you're using an x86, and the x86 has
the TSC so that sampling events can derive quite real randomness,
because the timing resolution is so high.
-hpa
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo en vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
Más información sobre la lista de distribución Ayuda