home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
X-Original-To: cryptography@metzdowd.com In-Reply-To: <527A9B2C.9070400@av8n.com> From: John Kelsey <crypto.jmk@gmail.com> Date: Wed, 6 Nov 2013 18:40:18 -0500 To: John Denker <jsd@av8n.com> Cc: Theodore Ts'o <tytso@mit.edu>, Cryptography <cryptography@metzdowd.com>, RNG mlist <rng@lists.bitrot.info>, Watson Ladd <watsonbladd@gmail.com> Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com If the distribution can ship with a unique secret seed value, then that resolves the uninitialized rng problem against any attacker who doesn't know that seed value. To update the seed, I think it's sufficient to initialize /dev/urandom from the seed file and write the first 256 bits of output back to the seed file before any outputs are generated for anything else. That guarantees that /dev/urandom never gets seeded the same way twice. If possible it would also be nice to have some process wait for the /dev/urandom ready flag to be set (assuming one is added), and then get another 256 bits from /dev/urandom and write those to the seed file. That ensures that the seed file eventually can become unpredictable even to someone who knows the starting value of the seed file. --John _______________________________________________ The cryptography mailing list cryptography@metzdowd.com http://www.metzdowd.com/mailman/listinfo/cryptography
home | help | back | first | fref | pref | prev | next | nref | lref | last | post |