Skip site navigation (1)Skip section navigation (2) 
Date:      Sat, 22 Jul 2000 17:41:15 -0700 (PDT)
From:      Kris Kennaway <kris@FreeBSD.org>
To:        "Jeroen C. van Gelderen" <jeroen@vangelderen.org>
Cc:        Mark Murray <mark@grondar.za>, current@FreeBSD.ORG
Subject:   Re: randomdev entropy gathering is really weak
Message-ID:  <Pine.BSF.4.21.0007221720110.39258-100000@freefall.freebsd.org>
In-Reply-To: <397A3716.A14DBF38@vangelderen.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sat, 22 Jul 2000, Jeroen C. van Gelderen wrote:

> I agree that you need long RSA keys ... but the real 
> discussion isn't really about key length but rather about 
> the overall complexity of attacking the key:

Okay, using RSA keys wasn't the best example to pick, but Yarrow also
seems easy to misuse in other cases: for example if you want to generate
multiple 256-bit symmetric keys (or other random data) at the same time,
each additional key after the first won't contain any additional entropy,
so if you break the state of the PRNG at the time the first one was
generated you get the others for free (until the thing reseeds).

This design tradeoff is discussed in section 4.1 of the paper.

> That said, there is nothing to prevent the system admin 
> from tweaking the Yarrow security parameters so that 
> Yarrow will only spit out as many bits or pseudo-randomness 
> as it gathers bits of entropy.[4]

Well, I don't see a way to tune this without modifying the Yarrow design,
since the entropy pool is intentionally decoupled from the output
mechanism, and it seems like it would add additional (unnecessary)
overhead anyway to use it in that fashion.

Indications are we can probably get quite a lot of usable entropy from a
standard system (on the order of many kilobytes per second - but I need to
read more of the literature about processing of entropy samples) - in this
case I think maintaining a third pool which is directly tapped by
/dev/random, and leaving Yarrow sitting behind /dev/urandom is the way to
go.

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007221720110.39258-100000>