Date: Mon, 24 Jul 2000 21:51:21 -0400 From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> To: Mark Murray <mark@grondar.za> Cc: Kris Kennaway <kris@FreeBSD.ORG>, current@FreeBSD.ORG Subject: Re: randomdev entropy gathering is really weak Message-ID: <397CF299.9F89E1CA@vangelderen.org> References: <Pine.BSF.4.21.0007231747430.79995-100000@freefall.freebsd.org> <200007240603.IAA03449@grimreaper.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote: [...] > > > Asynchonous reseeding _improves_ the situation; the attacker cannot force > > > it to any degree of accuracy, and if he has the odds stacked heavily against > > > him that each 256-bits of output will have an associated reseed, it makes > > > his job pretty damn difficult. This is not correct for a variety of reasons. But that's all fairly theoretical and ... not relevant for the discussion at hand. > > What I meant with that point is that the user may get, say an extra few > > hundred bits out of it with no new entropy before the scheduled reseed > > task kicks in. > > How does he know which bits are which? His analysis task just got a whole > lot more difficult. Again, not entirely correct but not relevant either... Kris is simply right in that the /dev/random semantics change and that more bits can be output by Yarrow than there is entropy gathered. *In theory* the complexity of an attack on our Yarrow has an upper bound of 2^256 and *in theory* this is less than the complexity of an attack on our current /dev/random. This is a hard fact, no way around that. However, the big question here is not about theory but about *practicality*. Is Yarrow less secure than /dev/random in practice? How does our /dev/random hold up under attack? How does Yarrow compare? I think we need to evaluate these practical questions instead of deep theoretical issues as Yarrow is all about practicality. At a more fundamental level we will need to answer the question: "Do we need to preserve the current /dev/random semantics or can we decide to change 'em? [1]". And how will this affect our applications *in practice*. So let's concentrate this discussion on the practical issues and explain why you think backing /dev/random with Yarrow and changing the semantics is justifyable or even a good thing. Cheers, Jeroen [1] And, should we decide not to change /dev/random semantics, can we still back /dev/random with a modified Yarrow? -- Jeroen C. van Gelderen o _ _ _ jeroen@vangelderen.org _o /\_ _ \\o (_)\__/o (_) _< \_ _>(_) (_)/<_ \_| \ _|/' \/ (_)>(_) (_) (_) (_) (_)' _\o_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397CF299.9F89E1CA>