Yarrow's Counter
Eygene Ryabinkin
rea-fbsd at codelabs.ru
Sat Apr 19 19:30:21 UTC 2008
Good day.
Sat, Apr 19, 2008 at 05:56:55PM +0100, RW wrote:
> The random number generator in FreeBSD's Yarrow implementation uses
> AES256 in counter mode. When a reseed occurs the generator is
> reinitialised like this:
>
> - generate a new cypher-key from the pool[s] and the old key
> - zero the counter
> - encrypt the (zeroed) counter with the new key
The latter two are better explained as "generate new counter as
the result of encryption of a number 'zero' with the new key".
> My question is: why zero the counter?
It is per paper about Yarrow design: see
http://www.schneier.com/paper-yarrow.html
page 11, section 5.3, step 4.
> If it's not zeroed then the old counter is encrypted instead, and after
> a few reseeds the counter will accumulate an independent 256 bits of
> entropy, rather than being a function of the new key.
As the seventh paragraph of section 5.3 says, "There is no security
reason why we would set a new value for the counter C". And deriving
the new value of C from the old one will not add any additional
entropy -- you're producing the old C and new key from the same
"entropy source", so this won't give you more entropy: you have two
dependent values.
Moreover, as the last paragraph of page 9 says "...the counter value
C is assumed to be known to the attacker", Yarrow was designed with
this motto in mind. As I see it, the key reasoning is that for the
perfect encryption function in the counter mode, there is no reason
to keep the counter to be secret: it is just nonce, nothing more.
Only the key should be kept safe.
> Should I submit a patch, it's simply a matter of deleting two
> lines in reseed() in sys/dev/random/yarrow.c.
>
>
> yarrow_hash_finish(&context, temp);
> yarrow_encrypt_init(&random_state.key, temp);
>
> /* 4. Recompute the counter */
>
> for (i = 0; i < 4; i++) <---
> random_state.counter[i] = 0; <---
>
> yarrow_encrypt(&random_state.key, random_state.counter, temp);
> memcpy(random_state.counter, temp, sizeof(random_state.counter));
I would not do it without consultations with Yarrow's creators:
this modification seems not to help anything, but can break something.
But your mileage may vary, as usual ;))
--
Eygene
More information about the freebsd-hackers
mailing list