[Freedombox-discuss] Fwd: timer entropy

Sandy Harris sandyinchina at gmail.com
Tue Oct 4 15:22:14 UTC 2011


On Tue, Oct 4, 2011 at 8:36 PM, Frank <frank at debian-nas.org> wrote:

> great to see efforts to create additional sources for entropy. I took the
> liberty of reading the accompanying PDF paper in the FTP repository for
> maxwell. In the paper the claim is made that HAVEGED is only
> 'pseudo-random'.

I did not intend to make that claim, more that Havege is /partly/
pseudo-random.

I do not know about Haveged, the Debian demon. I was going by, and
quoting the documentation on the Havege web site:
http://www.irisa.fr/caps/projects/hipsor/

"HAVEGE [ HArdware Volatile Entropy Gathering and Expansion ]"

"HAVEGE combines on-the-fly hardware volatile entropy gathering
with pseudo-random number generation."

As I read that, the "entropy gathering" is a true hardware RNG. The
"and Expansion" part is pseudo-random.

> Do you mean to say with that statement that the crucial difference between
> HAVEGED and maxwell is, that maxwell never over-estimates the entropy it
> seeds and HAVEGED potentially does?

I hope that is true for maxwell(8), and give arguments in the paper that it is.
The Havege entropy gathering is almost certainly better, since it uses more
sources. Maxwell relies on a timer alone.

To me, the "and expansion" and the description quoted imply that part
of Havege is only pseudo-random. That does not matter unless Haveged
is being used to replace /dev/random for critical things like
generating long-term PGP keys. It would also matter if you were
contemplating using havege as /dev/random's only source of entropy and
you needed to worry (as I think the FBox project must) about attacks
from people with enormous resources, such as a major government. In
that case, though, there's an easy solution -- make sure there are
some other entropy sources, e.g. by running maxwell as well or making
sure entropy collection from net interrupts is enabled.

Even for critical apps, it might be just fine depending on how the
pseudo-random part of Havege is designed, and exactly how and how
often it is re-seeded from the truly random part. Generators like
Yarrow (http://www.schneier.com/yarrow.html) have that sort of
two-part design, and are thought highly secure. I have not looked at
Havege at this level of detail, but the details are readily available
-- Open Source code and several papers.

> If yes, can you give me practical steps
> on how to measure that this is actually happening on my systems, on which I
> use HAVEGED? Up to now I have never had any reason to doubt the quality of
> entropy data generated by HAVEGED (tested with, for example, ENT).

Measuring will not help much. Things like ent(1) or the Diehard tests
(http://www.stat.fsu.edu/pub/diehard/) test an output sequence. They
can tell you if it looks random. However, if you feed them the output
of a high-grade pseudo-random generator, they say it is random. If
what you actually need is true randomness, the tests may not tell you
enough.

If you have critical things depending on Haveged, you probably need to
read the Havege papers and source code.

If you are feeding Haveged data to random(4) and find from the reading
that it may not be random enough, one solution would be to use some
sort of fudge factor -- write 128 bits, credit 90 bits of entropy or
whatever. A better solution -- and, for all I know, one that haveged
uses; I've only looked at the Havege site, not the Debian code --
would be to bypass the "and expansion" part of Havege, just use the
"entropy gathering" code. That would almost certainly give a faster
generator than maxwell, capable of far higher volume; it might be
cheaper as well.



More information about the Freedombox-discuss mailing list