Bug #2601

IBAA and /dev/random

Added by robin.carey1 about 1 year ago. Updated 6 months ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:-
Target version:-

Description

Dear DragonFlyBSD bugs,

With regard to DragonFlyBSD IBAA & /dev/random implementation:

I noticed that Dragonfly bypasses IBAAs weak initial states (twice) by
"warming up" the CSPRNG in:

1) rand_initialize()

and

2) add_buffer_randomness()
I am referring to the Kernel file: /sys/kern/kern_nrandom.c

----------

I realized that this "probably/might" solve the problem (of IBAAs weak
initial states, which leak the internal state) - but in my opinion does not
100%/definitely solve that problem.

I would like to point out that there is, in my opinion, a guaranteed way to
solve the above problem - and, which also eliminates the above code
duplication (two instances), to one instance.

Also, in my opinion using the new method I am suggesting might also
improve the quality of randomness output, by "smoothing out" the
internal state, i.e. if there is a non-uniform or "jaggedy"
internal-state/memory.

--------------

The new method:

In the "read_random()" function:

Warm up the CSPRNG (IBAA) before producing any output. When I say
"warm up", I mean calling IBAA_Call() 10 times, e.g.:

/*
* Warm up the generator to get rid of weak initial states.
*/
for (i = 0; i < 10; ++i)
IBAA_Call();

--------------

If there are any questions, I am happy to discuss this by E-mail.

Thanks !

--
Sincerely,

Robin Carey BSc


Related issues

Related to Bug #2677: L15 Update Closed

History

#1 Updated by phma 12 months ago

Why use IBAA instead of ISAAC?

#2 Updated by robin.carey1 12 months ago

Dear DragonFlyBSD-bugs,

I tried to reply to Antonio H by the ""
E-mail address, but it didn't work/go-through.
So I am trying the "" address. Sorry if this creates a
problem.

---------- Forwarded message ----------
From: Robin Carey
Date: 4 December 2013 13:31
Subject: Re: [DragonFlyBSD - Bug #2601] IBAA and /dev/random
To: "Antonio M. Huete Jimenez via Redmine" <
>

Because ISAAC is much more complicated (in terms of "lines of code" and
complexity of the algorithm).

ISAAC is supposedly faster than IBAA (according to Bob Jenkins' website).
But I can't understand how
that could be the case, given that IBAA is simpler in terms of "lines of
code" and code/algorithm complexity.

If you read Bob Jenkins' website, it says that one of the requirements for
IA and subsequent IBAA were
that the algorithms/code is/was easy to remember (which I consider to be a
good/enduring quality).

ISAAC sacrificed the "ease of remembrance" requirement.

Note that the version of IBAA in the DragonFlyBSD Kernel/Tree is a
customised version - with the following two improvements (which originated
from myself):
1) The SHIFT value was changed/corrected to 20 (as opposed to 19 in the
original algorithm).
2) It uses a Counter to guarantee a minimum 32-bit cycle-length.

If you read the Wikipedia entry for ISAAC (also applies to IBAA), you will
find a glowing review of his algorithm/CSPRNG. I am not aware of any other
publicly available algorithm which provides such a high quality of
randomness (not to mention the speed and security factors).

On 3 December 2013 20:28, wrote:

>
> Issue #2601 has been updated by phma.
>
>
> Why use IBAA instead of ISAAC?
>
> ----------------------------------------
> Bug #2601: IBAA and /dev/random
> http://bugs.dragonflybsd.org/issues/2601#change-11660
>
> * Author: robin.carey1
> * Status: New
> * Priority: Normal
> * Assignee:
> * Category:
> * Target version:
> ----------------------------------------
> Dear DragonFlyBSD bugs,
>
> With regard to DragonFlyBSD IBAA & /dev/random implementation:
>
> I noticed that Dragonfly bypasses IBAAs weak initial states (twice) by
> "warming up" the CSPRNG in:
>
> 1) rand_initialize()
>
> and
>
> 2) add_buffer_randomness()
> I am referring to the Kernel file: /sys/kern/kern_nrandom.c
>
> ----------
>
> I realized that this "probably/might" solve the problem (of IBAAs weak
> initial states, which leak the internal state) - but in my opinion does not
> 100%/definitely solve that problem.
>
> I would like to point out that there is, in my opinion, a guaranteed way to
> solve the above problem - and, which also eliminates the above code
> duplication (two instances), to one instance.
>
> Also, in my opinion using the new method I am suggesting might also
> improve the quality of randomness output, by "smoothing out" the
> internal state, i.e. if there is a non-uniform or "jaggedy"
> internal-state/memory.
>
> --------------
>
> The new method:
>
> In the "read_random()" function:
>
> Warm up the CSPRNG (IBAA) before producing any output. When I say
> "warm up", I mean calling IBAA_Call() 10 times, e.g.:
>
> /*
> * Warm up the generator to get rid of weak initial states.
> */
> for (i = 0; i < 10; ++i)
> IBAA_Call();
>
> --------------
>
> If there are any questions, I am happy to discuss this by E-mail.
>
> Thanks !
>
>
>
> --
> Sincerely,
>
> Robin Carey BSc
>
>
> --
> You have received this notification because you have either subscribed to
> it, or are involved in it.
> To change your notification preferences, please click here:
> http://bugs.dragonflybsd.org/my/account
>

--
Sincerely,

Robin Carey BSc

--
Sincerely,

Robin Carey BSc

#3 Updated by tuxillo 12 months ago

Hi Robin,

Is this directed to me for some specific reason? I don't remember why.
Thanks for refreshing my memory :)

Cheers,
Antonio Huete

#4 Updated by robin.carey1 12 months ago

Hi Antonio,

I tried to reply to "", because that
was who/what
sent the Reply/Response to my original bug-submission. And I seem to
remember your
name cropped up somewhere. So I assumed it was you I was replying to .....
maybe you
are responsible for the "bugtracker-admin" account .... ?

In any case, the reply to "bugtracker-admin" never went through, so I
forwarded my
response to "" (which seemed to work).

While I'm here: Happy Christmas to you all (and hopefully a good New Year
!!!) !

On 17 December 2013 15:54, wrote:

>
> Issue #2601 has been updated by tuxillo.
>
>
> Hi Robin,
>
> Is this directed to me for some specific reason? I don't remember why.
> Thanks for refreshing my memory :)
>
> Cheers,
> Antonio Huete
>
> ----------------------------------------
> Bug #2601: IBAA and /dev/random
> http://bugs.dragonflybsd.org/issues/2601#change-11673
>
> * Author: robin.carey1
> * Status: New
> * Priority: Normal
> * Assignee:
> * Category:
> * Target version:
> ----------------------------------------
> Dear DragonFlyBSD bugs,
>
> With regard to DragonFlyBSD IBAA & /dev/random implementation:
>
> I noticed that Dragonfly bypasses IBAAs weak initial states (twice) by
> "warming up" the CSPRNG in:
>
> 1) rand_initialize()
>
> and
>
> 2) add_buffer_randomness()
> I am referring to the Kernel file: /sys/kern/kern_nrandom.c
>
> ----------
>
> I realized that this "probably/might" solve the problem (of IBAAs weak
> initial states, which leak the internal state) - but in my opinion does not
> 100%/definitely solve that problem.
>
> I would like to point out that there is, in my opinion, a guaranteed way to
> solve the above problem - and, which also eliminates the above code
> duplication (two instances), to one instance.
>
> Also, in my opinion using the new method I am suggesting might also
> improve the quality of randomness output, by "smoothing out" the
> internal state, i.e. if there is a non-uniform or "jaggedy"
> internal-state/memory.
>
> --------------
>
> The new method:
>
> In the "read_random()" function:
>
> Warm up the CSPRNG (IBAA) before producing any output. When I say
> "warm up", I mean calling IBAA_Call() 10 times, e.g.:
>
> /*
> * Warm up the generator to get rid of weak initial states.
> */
> for (i = 0; i < 10; ++i)
> IBAA_Call();
>
> --------------
>
> If there are any questions, I am happy to discuss this by E-mail.
>
> Thanks !
>
>
>
> --
> Sincerely,
>
> Robin Carey BSc
>
>
> --
> You have received this notification because you have either subscribed to
> it, or are involved in it.
> To change your notification preferences, please click here:
> http://bugs.dragonflybsd.org/my/account
>

--
Sincerely,

Robin Carey BSc

#5 Updated by jorisgio 6 months ago

#6 Updated by dillon 6 months ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

Closing. Made modifications as requested and also adjusted /dev/urandom and the sysctl random to use IBAA (which is what /dev/random uses), so they all use IBAA now and nothing uses L15. These changes will make it into the 3.8.1 roll on Monday June 16th 2014.

In the near future we will run with two independent algorithms and xor their streams together. We are discussing this now. 3.8.1 will likely roll with just IBAA but if we get the second algorithm in place in the next few weeks we will MFC it to the release branch.

-Matt

Also available in: Atom PDF