[147839] in cryptography@c2.net mail archive
Re: [Cryptography] [RNG] on RNGs, VM state, rollback, etc.
daemon@ATHENA.MIT.EDU (Kent Borg)
Thu Oct 24 15:35:09 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 24 Oct 2013 12:04:10 -0400
From: Kent Borg <kentborg@borg.org>
To: cryptography@metzdowd.com
In-Reply-To: <1118B4EE-AAD6-48CF-8F69-CEF11AAA8BBA@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 10/24/2013 10:59 AM, John Kelsey wrote:
> Suppose you have a cryptographic PRNG that you initialize with a seed like this:
>
> a. Get 256 bits of entropy from the OS.
> b. Get 256 bits of entropy from the hardware entropy source.
> [...]
A warning here: when mixing in different sources, you want to make sure
they are different or it might make matters worse.
In recent versions of Linux's urandom the Intel CPU random HW is NOT
independent of urandom output; CPU HW random bits are XOR-ed in just
before they are output.
If you mix them Intel random bits again you are making a complex system
that is hard to analyze, and so not necessarily an improvement. Using
some different and independent HW source? Cool.
-kb
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
