Date: Sun, 23 Jul 2000 14:42:00 -0400 From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> To: David Schwartz <davids@webmaster.com> Cc: Mark Murray <mark@grondar.za>, current@FreeBSD.ORG Subject: Re: randomdev entropy gathering is really weak Message-ID: <397B3C78.1C16D34A@vangelderen.org> References: <NCBBLIEPOCNJOAEKBEAKKEBAJOAA.davids@webmaster.com>
next in thread | previous in thread | raw e-mail | index | archive | help
David Schwartz wrote:
>
> > > /dev/random should block if the system does not contain as much
> > real entropy
> > > as the reader desires. Otherwise, the PRNG implementation will be the
> > > weakest link for people who have deliberately selected higher levels of
> > > protection from cryptographic attack.
>
> > I don't want to rehash this thread from the beginning. Please go
> > back, read the Yarrow paper, and recognise that Yarrow is not an
> > entropy-counter, it is a cryptographically secure PRNG. The "count
> > random bits and block" model does not apply.
>
> Then the current implementation cannot provide the usual semantics for
> /dev/random, while it can provide the semantics for /dev/urandom. As I
> understand it, /dev/random is supposed to provide true randomness suitable
> for generating keys of unlimited length, whereas /dev/urandom is supposed to
> provide cryptographically-strong randomness for general applications.
>
> If people want /dev/random to seed 1024-bit keys, /dev/random must be
> stronger than a 1024-bit key.
1. The current /dev/random cannot do it, it's less secure
than Yarrow for a variety of reasons. So we have a net
improvement anyway. Thanks Mark.
2. Most people do not want to seed 1024-bit keys as outlined
in another mail in this thread. If they *understand* the
issues involved they will realize that 2^256 complexity
is plenty uncrackable for all practical purposes. FreeBSD
is about practical purposes IMHO.
3. Yarrow can be modified to just do this, should someone
think this is neccessary. Read the paper and think of
what happens when you set Pg to 1/(2^(k/3)). (Note that
the paper restricts this value to 1 <= Pg but that's of
no importance here.)
** This is overly conservative for most applications I can
think of; Even a multi-million dollar financial
transactioning system will be practically secure when Pg
is set to 1.
4. Nothing prevents you from adapting Yarrow so that current
/dev/random semantics are preserved, making Yarrow even
better. It can be done with the current design it's just
not very beneficial to do it.
5. Yarrow was designed as a better replacement for most any
PRNG by a couple of bright cryptographers. Can you do
better than that?
Cheers,
Jeroen
--
Jeroen C. van Gelderen o _ _ _
jeroen@vangelderen.org _o /\_ _ \\o (_)\__/o (_)
_< \_ _>(_) (_)/<_ \_| \ _|/' \/
(_)>(_) (_) (_) (_) (_)' _\o_
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?397B3C78.1C16D34A>