On Tuesday, 18 September 2012 at 22:14, Pawel Jakub Dawidek wrote: > I experimented a bit with collecting entropy from the time it takes for= > device=5Fattach() to run (in CPU cycles). It seems that those times hav= e > enough variation that we can use it for entropy harvesting. It happens > even before root is mounted, so pretty early. > =20 That sounds really great. =20 > If all the times are more or less equally probable in this range =5B=E2= =80=A6=5D They're very unlikely to be equally probable. It would make sense to do s= ome characterization of these times and their statistics: a highly non-un= iform distribution would mean that we don't actually get many bits per at= tach. =20 > =5B=E2=80=A6=5D we have more > than 19 bits of entropy from this one call, but I reduced if to four > bits only, because there are devices that are much faster to attach. > =20 Another reason for doing the above characterization is that, if a particu= lar device=5Fattach() really does provide 12 bits of uncertainty, it's a = shame to drop eight of them on the floor. > We could make the code more complex by assuming 0.01% of the time > varies, which should still be safe and will allow to collect more > entropy from those long calls. > =20 I'm a bit leery of assuming that things =22should still be safe=22 for th= e above reasons. Again, some hard numbers would really help here. Maybe w= e should even convince a student to do a project. :) Jon -- =20 Jonathan Anderson Research Associate Computer Laboratory University of Cambridge jonathan.anderson=40cl.cam.ac.uk +44 1223 763 747 _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"