Entropy gathering in the E language runtime

Bill Frantz frantz@communities.com
Mon, 21 Sep 1998 18:33:53 -0700 

The E language runtime needs to generate cryptographically secure random
numbers for use by the communications system.  These numbers are used for
generating the public/private keys a vat uses to identify itself, and to
generate session keys for encryption and message authentication.

In order to get cryptographically secure random numbers, we need a source
of "randomness", which we call entropy, that is unpredictable by processes
running outside the computer system which hosts the vat.  (Unpredictable by
processes running on the same machine as the vat would be very nice, but
given Windows, I don't think we can make any guarantees.)

The fact that computer system design since at least the 1940s has been
attempting to reduce unpredictableness, getting entropy is not easy.  The
entropy gathering routines in the E runtime (ec.security.ECSecureRandom and
ec.security.TimeJitterEntropy) support several techniques:

* UI events:  While these routines don't have any hooks into the user
interface, they do support calls from the user interface specifically to
gather entropy.  ECSecureRandom.setMouseSeed, and setKeySeed accept events
from the mouse and keyboard respectively.  They combine the mouse position
or the value of the key pressed with the current system time, measured with
the most precise available clock, to add to the entropy pool.  These two
methods are probably the most trustworthy.

* Clock Jitter: Experiments have shown that the phase jitter between the
CPU clock and the calendar clock on an "IBM" PC generate random numbers
which meet the FIPS-140 tests for randomness.
ec.security.TimeJitterEntropy gathers entropy using a native method to
access the CPU clock.  This method is worrisome because we shouldn't assume
that all "PC compatibiles" will generate good entropy using this technique.
 One example that scares me is running under VirtualPC on a Macintosh.

* Javasoft's technique:  The final technique used is the one provided by
Javasoft for their SecureRandom class.  It uses the number of times a
thread can yield() during a given interval as a source of entropy.  This
technique has as least some academic respectability, but it is not
guaranteed by Javasoft.  It also burns quite a bit of CPU.  ECSecureRandom
uses it has the technique of last resort (e.g when it discovers it is not
running on an X86 machine).