[Ach] Random number generators (was Bug/Ba in OpenSSL)

Adi Kriegisch adi at kriegisch.at
Wed Nov 27 11:40:14 CET 2013


> On 26 Nov 04:43, Ralf Schlatterbeck wrote:
> > I agree on the other assertions that HAVEGE can be used to augment the
> > Kernel random number generator in certain situations where your random
> > sources are limited. This occurs mostly in embedded devices like WLAN
> > routers etc. For these devices HAVEGE will improve your random-number
> > source.
It is probably helpful to distinguish between the algorithm and the daemon:
haveged is most probably meant in this case.
> FYI:
> http://lists.randombit.net/pipermail/cryptography/2013-November/005818.html
> Sounds like testing it is crucial before adding that to the paper.
Hmmm... or probably reading what is in haveged since v1.5:

btw. I did some tests on MIPS and PPC with several megabytes of
'randomness' -- in all cases ent showed that the entropy is just fine. I
probably could test on a SPARC too, but I guess that will not be necessary.

Quoting from current README.Debian of haveged: (The complete readme may be
found here:
  | When asked if the issue also applied to haveged, Gary Wuertz  haveged
  | author replied:
  | First, there are significant differences between the polarssl and haveged
  | implementations of HAVEGE. In general, haveged works much harder to provoke
  | timing variations in the host (larger collection buffer, tuning collection
  | code and walk table to the host L1 caches). See comparison below.
  | I think items d) and e) in the comparison are items where polarssl is
  | particularly weak.

...and the parts of the comparison in question:

  | d) Collector warmup
  |  * PolarSSL: 1 fill
  |  * haveged: 32 fills plus self test
  | e) Run time testing
  |  * PolarSSL: none
  |  * haveged: Continuous and start-up AIS-31 tests (configurable)

And once more HAVEGE is an algorithm that was implemented by eg polarssl
and where they failed to handle certain stuff whereas haveged is a daemon
that *injects* its random bits into the kernel's entropy pool.

Quoting the mail on the crypto list above:
  || Also, the entropy estimator supplied with Havege is (was) broken. We
  || tested Havege in a system simulator where we could manipulate/force the
  || TSC which means that Havege generated predictable values. The estimator
  || happily reported good entropy.
I think this is referring to the link cm came up with. This is fixed in
haveged beginning with version 1.5 by adding AIS-31 tests.

  || On an x86-based server you can use Havege, but use it to feed
  || /dev/random, not as a RNG directly. The same goes for Jytter.
This is exactly what haveged does when you just start it up an leave it

There is a major drawback in haveged on embedded devices however: Its
memory consumption -- by default it takes 4MB of Ram. Probably OpenWRT devs
already dealt with that?!

-- Adi
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: Digital signature
URL: <http://lists.cert.at/pipermail/ach/attachments/20131127/ba51b144/attachment.sig>

More information about the Ach mailing list