Yarrow's Counter
RW
fbsd06 at mlists.homeunix.com
Sat Apr 19 17:18:40 UTC 2008
The random number generator in FreeBSD's Yarrow implementation uses
AES256 in counter mode. When a reseed occurs the generator is
reinitialised like this:
- generate a new cypher-key from the pool[s] and the old key
- zero the counter
- encrypt the (zeroed) counter with the new key
My question is: why zero the counter?
If it's not zeroed then the old counter is encrypted instead, and after
a few reseeds the counter will accumulate an independent 256 bits of
entropy, rather than being a function of the new key.
Should I submit a patch, it's simply a matter of deleting two
lines in reseed() in sys/dev/random/yarrow.c.
yarrow_hash_finish(&context, temp);
yarrow_encrypt_init(&random_state.key, temp);
/* 4. Recompute the counter */
for (i = 0; i < 4; i++) <---
random_state.counter[i] = 0; <---
yarrow_encrypt(&random_state.key, random_state.counter, temp);
memcpy(random_state.counter, temp, sizeof(random_state.counter));
More information about the freebsd-hackers
mailing list