aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--doc/log.txt1
-rw-r--r--src/rng/hmac_rng/hmac_rng.cpp1
-rw-r--r--src/rng/randpool/randpool.cpp36
-rw-r--r--src/utils/entropy.cpp80
-rw-r--r--src/utils/entropy.h48
-rw-r--r--src/utils/info.txt2
6 files changed, 21 insertions, 147 deletions
diff --git a/doc/log.txt b/doc/log.txt
index 09c24ba10..a62993abe 100644
--- a/doc/log.txt
+++ b/doc/log.txt
@@ -1,5 +1,6 @@
* 1.7.21, ????-??-??
+ - Drop use of entropy estimation in the PRNGs
- Make algorithm lookup much more configuable
- Add a function for runtime performance testing
- Increase intervals between HMAC_RNG automatic reseeding
diff --git a/src/rng/hmac_rng/hmac_rng.cpp b/src/rng/hmac_rng/hmac_rng.cpp
index d85cebada..95b119b9d 100644
--- a/src/rng/hmac_rng/hmac_rng.cpp
+++ b/src/rng/hmac_rng/hmac_rng.cpp
@@ -4,7 +4,6 @@
*************************************************/
#include <botan/hmac_rng.h>
-#include <botan/entropy.h>
#include <botan/loadstor.h>
#include <botan/xor_buf.h>
#include <botan/util.h>
diff --git a/src/rng/randpool/randpool.cpp b/src/rng/randpool/randpool.cpp
index 743123b9e..0017c476c 100644
--- a/src/rng/randpool/randpool.cpp
+++ b/src/rng/randpool/randpool.cpp
@@ -4,7 +4,6 @@
*************************************************/
#include <botan/randpool.h>
-#include <botan/entropy.h>
#include <botan/loadstor.h>
#include <botan/xor_buf.h>
#include <botan/util.h>
@@ -109,7 +108,19 @@ void Randpool::reseed()
{
SecureVector<byte> buffer(128);
- Entropy_Estimator estimate;
+ u32bit entropy_est = 0;
+
+ /*
+ When we reseed, assume we get 1 bit per byte sampled.
+
+ This class used to perform entropy estimation, but what we really
+ want to measure is the conditional entropy of the data with respect
+ to an unknown attacker with unknown capabilities. For this reason
+ making any sort of sane estimate is impossible. See also
+ "Boaz Barak, Shai Halevi: A model and architecture for
+ pseudo-random generation with applications to /dev/random. ACM
+ Conference on Computer and Communications Security 2005."
+ */
// First do a fast poll of all sources (no matter what)
for(u32bit j = 0; j != entropy_sources.size(); ++j)
@@ -117,24 +128,18 @@ void Randpool::reseed()
u32bit got = entropy_sources[j]->fast_poll(buffer, buffer.size());
mac->update(buffer, got);
- estimate.update(buffer, got, 96);
+ entropy_est += got;
}
- /* Limit assumed entropy from fast polls (to ensure we do at
- least a few slow polls)
- */
- estimate.set_upper_bound(256);
-
// Then do a slow poll, until we think we have got enough entropy
for(u32bit j = 0; j != entropy_sources.size(); ++j)
{
u32bit got = entropy_sources[j]->slow_poll(buffer, buffer.size());
mac->update(buffer, got);
+ entropy_est += got;
- estimate.update(buffer, got, 256);
-
- if(estimate.value() > 384)
+ if(entropy_est > 512)
break;
}
@@ -143,7 +148,7 @@ void Randpool::reseed()
xor_buf(pool, mac_val, mac_val.size());
mix_pool();
- entropy += estimate.value();
+ entropy = std::min<u32bit>(entropy + entropy_est, 8 * mac_val.size());
}
/*************************************************
@@ -155,9 +160,8 @@ void Randpool::add_entropy(const byte input[], u32bit length)
xor_buf(pool, mac_val, mac_val.size());
mix_pool();
- Entropy_Estimator estimate;
- estimate.update(input, length);
- entropy += estimate.value();
+ // Assume 1 bit conditional entropy per byte of input
+ entropy = std::min<u32bit>(entropy + length, 8 * mac_val.size());
}
/*************************************************
@@ -173,7 +177,7 @@ void Randpool::add_entropy_source(EntropySource* src)
*************************************************/
bool Randpool::is_seeded() const
{
- return (entropy >= 384);
+ return (entropy >= 7 * mac->OUTPUT_LENGTH);
}
/*************************************************
diff --git a/src/utils/entropy.cpp b/src/utils/entropy.cpp
deleted file mode 100644
index 1562eb0d2..000000000
--- a/src/utils/entropy.cpp
+++ /dev/null
@@ -1,80 +0,0 @@
-/*************************************************
-* Entropy_Estimator Source File *
-* (C) 2008 Jack Lloyd *
-*************************************************/
-
-#include <botan/entropy.h>
-#include <botan/bit_ops.h>
-
-namespace Botan {
-
-/**
-Update the estimate
-*/
-void Entropy_Estimator::update(const byte buffer[], u32bit length,
- u32bit upper_limit)
- {
- u32bit this_buf_estimate = 0;
-
- /*
- This is pretty naive
- */
- for(u32bit j = 0; j != length; ++j)
- {
- byte delta = last ^ buffer[j];
- last = buffer[j];
-
- byte delta2 = delta ^ last_delta;
- last_delta = delta;
-
- byte delta3 = delta2 ^ last_delta2;
- last_delta2 = delta2;
-
- byte min_delta = delta;
- if(min_delta > delta2) min_delta = delta2;
- if(min_delta > delta3) min_delta = delta3;
-
- this_buf_estimate += hamming_weight(min_delta);
- }
-
- this_buf_estimate /= 2;
-
- if(upper_limit)
- estimate += std::min(upper_limit, this_buf_estimate);
- else
- estimate += this_buf_estimate;
- }
-
-/*************************************************
-* Estimate the entropy of the buffer *
-*************************************************/
-u32bit entropy_estimate(const byte buffer[], u32bit length)
- {
- if(length <= 4)
- return 0;
-
- u32bit estimate = 0;
- byte last = 0, last_delta = 0, last_delta2 = 0;
-
- for(u32bit j = 0; j != length; ++j)
- {
- byte delta = last ^ buffer[j];
- last = buffer[j];
-
- byte delta2 = delta ^ last_delta;
- last_delta = delta;
-
- byte delta3 = delta2 ^ last_delta2;
- last_delta2 = delta2;
-
- byte min_delta = delta;
- if(min_delta > delta2) min_delta = delta2;
- if(min_delta > delta3) min_delta = delta3;
-
- estimate += hamming_weight(min_delta);
- }
-
- return (estimate / 2);
- }
-
-}
diff --git a/src/utils/entropy.h b/src/utils/entropy.h
deleted file mode 100644
index 24d2fbdbf..000000000
--- a/src/utils/entropy.h
+++ /dev/null
@@ -1,48 +0,0 @@
-/*************************************************
-* Entropy_Estimator Header File *
-* (C) 2008 Jack Lloyd *
-*************************************************/
-
-#ifndef BOTAN_ENTROPY_ESTIMATOR_H__
-#define BOTAN_ENTROPY_ESTIMATOR_H__
-
-#include <botan/types.h>
-#include <algorithm>
-
-namespace Botan {
-
-/**
-Naive Entropy Estimation using first, second, and third order deltas
-
-@todo It would be nice to extend this to test using zlib or bzip2 if
-those modules are compiled in to the library
-*/
-class BOTAN_DLL Entropy_Estimator
- {
- public:
- Entropy_Estimator()
- { last = last_delta = last_delta2 = 0; estimate = 0; }
-
- /**
- Return the current estimate
- */
- u32bit value() const { return estimate; }
-
- /**
- Set an upper bound on the estimate so far
- */
- void set_upper_bound(u32bit upper_limit)
- { estimate = std::min(estimate, upper_limit); }
-
- /**
- Add more entropy data to the current estimation
- */
- void update(const byte buffer[], u32bit length, u32bit upper_limit = 0);
- private:
- u32bit estimate;
- byte last, last_delta, last_delta2;
- };
-
-}
-
-#endif
diff --git a/src/utils/info.txt b/src/utils/info.txt
index 99d589d8c..ffc19c852 100644
--- a/src/utils/info.txt
+++ b/src/utils/info.txt
@@ -22,8 +22,6 @@ data_src.cpp
data_src.h
datastor.cpp
datastor.h
-entropy.cpp
-entropy.h
exceptn.cpp
exceptn.h
loadstor.h