[147920] in cryptography@c2.net mail archive
Re: [Cryptography] [RNG] /dev/random initialisation
daemon@ATHENA.MIT.EDU (Kent Borg)
Thu Oct 31 13:27:34 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 31 Oct 2013 10:31:48 -0400
From: Kent Borg <kentborg@borg.org>
To: Jerry Leichter <leichter@lrw.com>, jamesd@echeque.com
In-Reply-To: <129DF2E9-6F7C-43AC-B136-F63A0FA3996D@lrw.com>
Cc: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On 10/30/2013 05:00 PM, Jerry Leichter wrote:
> On Oct 30, 2013, at 4:32 PM, "James A. Donald" <jamesd@echeque.com> wrote:
>> No source of entropy can ever be harmful. The worst that can happen is that it is entirely predictable to the adversary, in which case it does little good, but can never do harm.
> Are you so sure?
You make a good point: If an attacker can feed crafted data as an "it
can't hurt" entropy source, and if the attacker can draw entropy out, it
is possible to break the entropy accounting, making it think there is
more entropy there than there really is. (Fair summary?)
This then turns the attacker's problem into breaking the hashing or
encryption that is at the heart of the RNG.
But the problem isn't the extra entropy sources, it is broken accounting.
I want lots of entropy sources. It makes the attacker's task more
difficult. Even if the attacker's job maybe starts out impossible, I
like making it harder.
> and I'm not sure that a Linux-style generator does. If you have it ... why would you need to allow additional (allegedly random) sources?
Linux tries hard to not credit "can't hurt" sources. It doesn't even
credit the reading of a stored pool at boot.
-kb, the Kent who doesn't like entropy accounting to begin with, it just
feels like we are fooling outselves.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
