home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: cryptography@metzdowd.com In-Reply-To: <20131105050100.GB31049@thunk.org> From: John Kelsey <crypto.jmk@gmail.com> Date: Tue, 5 Nov 2013 17:31:12 -0500 To: Theodore Ts'o <tytso@mit.edu> Cc: Watson Ladd <watsonbladd@gmail.com>, Cryptography <cryptography@metzdowd.com>, RNG mlist <rng@lists.bitrot.info>, John Denker <jsd@av8n.com> Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com On Nov 5, 2013, at 12:01 AM, Theodore Ts'o <tytso@mit.edu> wrote: > On Mon, Nov 04, 2013 at 08:46:05PM -0800, Watson Ladd wrote: >> I'm sorry: Did the Mind your P's and Q's paper escape everyone on this list? >> There are thousands of devices out there generating keys on first-power on >> with insufficient entropy, with observable deleterious effects. > > Sure, we need enough entropy to seed the /dev/urandom device. And > there's been quite a lot of work to improve things since the P's and > Q's paper. The distinction that I was talking about is whether every > single bit that is returned from /dev/random should correspond to bits > of entropy gathered from the system (and where you block until the > system has been able to gather enoguh entropy to satisfy the request), > or whether you depend on the cryptographic algorithms for your > security once the CSRNG has been sufficiently well seeded (which is > what /dev/urandom in Linux is intended to do, as contrasted with the > /dev/random device). Is there any way for a program to find out if /dev/urandom has been seeded properly? It seems like the alternative for a developer is either hope /dev/urandom has gotten to a secure point before he reads his PRNG seed from it, or get his PRNG seed from /dev/urandom and potentially block, and also potentially make other stuff block. But there isn't really any reason for that, right? If I want to initialize a cryptographic PRNG, or generate a RSA key, or whatever, I am shooting for computational security, which /dev/urandom should give me *once it has reached a secure state*. I don't need full-entropy bits--I'm not generating a one-time pad or something. I just need something that is impossible to guess without more computing power than my attacker has. --John _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |