Re: [Tails-dev] Support EntropyKey?

このメッセージを削除

このメッセージに返信
著者: anonym
日付:  
To: The Tails public development discussion list
題目: Re: [Tails-dev] Support EntropyKey?
26/11/12 16:40, Jacob Appelbaum wrote:
> intrigeri:
>> Hi,
>>
>> we're asked to install ekeyd to support EntropyKey:
>> https://tails.boum.org/todo/Install_ekeyd_for___40__potentially__41___better_entropy/
>>
>> The total installed size of the needed packages is a few hundred
>> kilobytes. I think it's worth adding to improve cryptography -related
>> hardware support. What do you think?


Given what I've read about HAVEGE (or rather, mostly the lack of good
criticism) it seems like we already have solved the problem of
generating good random numbers at will in Tails by installing haveged.
I'm not against the inclusion of ekeyd, however.

>> Cheers,
>>
>
> I think it is a good idea. I regularly install it with Tails anyway.
>
> It might also make sense to include rng-tools, randomsound, and haveged
> for around of 1,098 kB on disk.


Tails do install haveged by default.

> Tails should really do everything
> possible to collect entropy as often as possible; if the rng runs dry,
> all the crypto fails badly... It might even be worth seeding the rng
> from an unlocked persistence partition - it should be possible to drain
> /dev/random of ~200 bits of entropy at any given point in time to ensure
> that the rng never goes unseeded...


Running (in Tails):

    cat /dev/random | pv > /dev/null


reports a pretty stable rate of 2MB/s on my system, which should be
sufficient for all *realistic* use cases. Given that the rate is good I
don't see any reason for mixing in additional entropy sources, like you
propose, except if haveged doesn't have good enough entropy quality on
its own.

Here's two pretty interesting blog posts about haveged and its entropy
quality:

    http://jakob.engbloms.se/archives/1370
    http://jakob.engbloms.se/archives/1374


Most points raised in them seem highly academic, though, so my
conclusion is that haveged is good enough on its own.

Cheers!