[cryptography] does the mixer pull or do the collectors push?

[ianG]

On 28/11/13 12:12 PM, Joachim Strömbergson wrote:


One issue I'm thinking of is if you have more than one source, but one
of them dwafs the other sources in kapacity. Say having a microphone
providing whitish noise at kbps rate and then having RdRand from your
Haswell CPU generating data at Gbps speed, will the microphone entropy
matter?




I'm thinking about the same issues, we're designing a classical RNG 
along the lines of  three elements:


   collector \
  \
   collector - mixer --- expansion function/CSPRNG
  /
   collector /

Here is my list of assumptions:

/*
 * Assumption A:some of our collectors are borked.
 *A.2:  we don't know which collectors are borked.
 *A.3:  We do not rely on measurements of entropy
 *  because a borked collector will deliver
 *  false estimates.
 * Assumption B:Some of our collectors have very high
 *  throughput, others very low.
 * Assumption B.2:  Some are high quality, others are low quality.
 * Assumption C:At least one collector is good.
 * Assumption D:Core java, plus/minus Android.
 *
 *
 * Goal 1.  Each collector should contribute to any request for a seed.
 * Goal 2.  No blocking.  Or minimal blocking...
 */


Our current thoughts are along the question of how the collector and 
mixer interface.  Do the collectors push to the mixer or does the mixer 
pull from the collectors?


Right now we're looking at a hybrid design of both:  Collectors collect 
and save, and push into a mixer pool on their own when full.  When the 
EF/CSPRNG pulls a seed from the mixer, it pulls from collectors, pulls 
from the pool, and mixes all that for the seed.


Thoughts?

iang
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

Re: [cryptography] does the mixer pull or do the collectors push?

[Nico Williams]

Power management is an issue.  Therefore entropy collection cannot be
periodic, not with high frequency anyways.

Instead collection must happen as needed and/or opportunistically, and
as much entropy should be collected as possible without increasing
latency by too much.  Opportunistic collection is fine, but
opportunistic pushing into the mixer when there's no demand for CSPRNG
outputs... is not power management friendly.

Therefore:

 - for initial CSPRNG seeding  the question is irrelevant: whether
push or pull, we must wait until we have enough entropy from all the
sources at hand;

   (since we're blocking and there may/should be multiple sources,
some of which may involve slow I/O, async/concurrent polling is
necessary so as to wait no longer than we must wait for the slowest
source)

 - for opportunistic (but not periodic, at least not with short
periods) mixing-in of new seeds, mixers should use consume entropy
from all pools that have available entropy, without discriminating as
to origin (since, after all, we're positing a properly-seeded CSPRNG).

Remember, we started this long set of long threads because of a paper
about /dev/urandom robustness.  The assumption is partial compromise,
and the goal is to recover (i.e., cause the attacker's knowledge of
CSPRNG state to become stale) quickly.  Suspend/resume, buses that
allow external device-initated DMA to all physical memory, ... these
are potential sources of partial compromise.

Anytime there's a suspend event the system should encrypt sensitive
state (e.g., filesystem keys, CSPRNG state), and decrypt it on resume.
 Since the encryption key in that case is likely to be a
password-derived (i.e., weak) key, or it may be missing altogether
(the user doesn't want to bother), CSPRNG reseeding on resume is...
highly desirable.

Nico
--
___
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography