MD5 Folding in kernel RNG

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

From: Kjell Wooding

Date: Monday, December 27, 2010 - 6:07 pm

The OpenBSD random number subsystem uses an in-kernel entropy pool. This
data isn't used directly. When entropy is requested, the contents of the
pool are hashed with MD5, and the massaged output used to seed an RC4 PRNG.

In looking at the code, however, I notice we actually fold the MD5 output in
half. From extract_entropy():

              MD5Final(buffer, &tmp);

                /*
                 * In case the hash function has some recognizable
                 * output pattern, we fold it in half.
                 */
                buffer[0] ^= buffer[15];
                buffer[1] ^= buffer[14];
                buffer[2] ^= buffer[13];
                buffer[3] ^= buffer[12];
                buffer[4] ^= buffer[11];
                buffer[5] ^= buffer[10];
                buffer[6] ^= buffer[ 9];
                buffer[7] ^= buffer[ 8];

               /* Copy data to destination buffer */
                bcopy(buffer, buf, i);
                nbytes -= i;
                buf += i;

My question: Why? What exactly are we protecting against, and is this really
protection? (the comment indicates "some recognizable output pattern, but
that means little to me as is) Can we really be sure it doesn't make things
worse?

Is this done elsewhere, or is it our particular brand of voodoo?

Happy ho ho,

-kj

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

MD5 Folding in kernel RNG, Kjell Wooding, (Mon Dec 27, 6:07 pm)

Re: MD5 Folding in kernel RNG, Ted Unangst, (Mon Dec 27, 9:02 pm)

Re: MD5 Folding in kernel RNG, Damien Miller, (Tue Dec 28, 1:48 am)

Re: MD5 Folding in kernel RNG, Kjell Wooding, (Tue Dec 28, 1:08 pm)

Re: MD5 Folding in kernel RNG, Damien Miller, (Tue Dec 28, 1:45 pm)

Re: MD5 Folding in kernel RNG, Kjell Wooding, (Tue Dec 28, 2:42 pm)


linux-kernel:
Paul Turner	[tg_shares_up rewrite v4 11/11] sched: update tg->shares after cpu.shares write
Mr. James W. Laferriere	Re: Linux 2.6.25-rc1 , syntax error near unexpected token `;'
Chuck Ebbert	Re: PCI: Unable to reserve mem region problem
Linus Torvalds	Linux 2.6.34-rc4
Mingming Cao	Re: [RFC 1/4] Large Blocksize support for Ext2/3/4
git:
Ralf Wildenhues	[PATCH] Fix typos in the documentation
Len Brown	Re: fatal: unable to create '.git/index': File exists
Adeodato	Bazaar's patience diff as GIT_EXTERNAL_DIFF
Denis Bueno	Git clone error
Johannes Schindelin	Re: [PATCH 2/4] Add functions get_relative_cwd() and is_inside_dir()
git-commits-head:
Linux Kernel Mailing List	ASoC: fix registration of the SoC card in the Freescale MPC8610 drivers
Linux Kernel Mailing List	drivers/acpi: use kasprintf
Linux Kernel Mailing List	nfsd41: sanity check client drc maxreqs
Linux Kernel Mailing List	bnx2x: Moving includes
Linux Kernel Mailing List	V4L/DVB: gspca - sonixj: Adjust minor values of sensor ov7630. - set the color ga...
openbsd-misc:
Sevan / Venture37	Re: This is what Linus Torvalds calls openBSD crowd
Netmaffia.hu	Tini Lányok AKCIÓBAN OTTHON
Sam Fourman Jr.	Re: Help with Altell PC6700
Siju George	This is what Linus Torvalds calls openBSD crowd
Darrin Chandler	Re: OT: Python (was Re: vi in /bin)
linux-netdev:
Kurt Van Dijck	Re: [PATCH net-next-2.6 1/2] can: add driver for Softing card
Eric Dumazet	Re: [PATCH net-next-2.6] net: Introduce skb_orphan_try()
Jamie Lokier	Re: POHMELFS high performance network filesystem. Transactions, failover, performa...
Jarek Poplawski	Re: socket api problem: can't bind an ipv6 socket to ::ffff:0.0.0.0
David Miller	Re: [PATCH v2] net: typos in comments in include/linux/igmp.h