Analysis of Linux-RNG Entropy and Implementation Concerns: Insights from German Study

A recent study from Germany delves into the algorithmic intricacies of the Linux-RNG, emphasizing a key focus on estimating the entropy of raw data provided to the Linux-RNG by noise sources. The primary objective is to assess whether the Linux-RNG can swiftly deliver 100 bits of entropy early after a system boot, aligning with specified thresholds.

Key Findings and Considerations:

  1. Entropy Assessment and Issues:
    • The study explores an alternative Linux-RNG implementation developed by one of the authors, highlighting consistency in design with the LRNG kernel implementation.
    • An identified issue revolves around the potential loss of entropy during seeding, leading to a theoretical reduction in the security of the RNG state. However, the study suggests this isn’t a feasible attack vector.
  2. Seeding Delay Issue:
    • The study reveals a delay in utilizing new seed data provided by user space in the ChaCha20 DRNG accessible via the Linux-RNG interfaces. This delay can extend up to 60 seconds but can be mitigated by actively calling RNDRESEEDCRNG.
  3. Self-Tests and Security Concerns:
    • Self-tests for the ChaCha20 DRNG, Blake2s hash operation, and SipHash logic handling the fast_pool are proposed to enhance the Linux-RNG’s reliability.
    • The study raises concerns about potential breaks in cryptography if the RNG malfunctions, emphasizing the need for robust self-tests.
  4. Entropy Estimation and Heuristic Issues:
    • The Linux-RNG’s entropy estimation, based on the Jiffies timer, is critiqued for its limited relationship with actual entropy delivered by recorded events. The study suggests discarding events derived from Jiffies for more accurate entropy estimation.
  5. Implementation Complexities:
    • The study identifies unnecessary complexities in the extract_entropy function and points out an entropy accounting operation after reaching the fully seeded state, which may be considered redundant.
  6. Security Strength and Effective Health Test:
    • The SipHash/HalfSipHash 1-0 for the fast_pool is deemed to have unspecified security strength, with assumptions made about its impact on entropy.
    • Concerns are raised about the absence of an effective entropy source health test in the Linux-RNG’s current implementation.
  7. Stability and Backporting Concerns:
    • The study questions the re-implementation of the Linux-RNG in stable kernels without addressing security or safety-critical aspects, deviating from typical stable kernel definitions.

The study concludes by emphasizing the importance of addressing the identified concerns to ensure the Linux-RNG’s robustness and reliability in cryptographic applications.