[148061] in cryptography@c2.net mail archive
Re: [Cryptography] randomness +- entropy
daemon@ATHENA.MIT.EDU (John Kelsey)
Wed Nov 6 19:24:45 2013
X-Original-To: cryptography@metzdowd.com
In-Reply-To: <527A9B2C.9070400@av8n.com>
From: John Kelsey <crypto.jmk@gmail.com>
Date: Wed, 6 Nov 2013 18:40:18 -0500
To: John Denker <jsd@av8n.com>
Cc: Theodore Ts'o <tytso@mit.edu>, Cryptography <cryptography@metzdowd.com>,
RNG mlist <rng@lists.bitrot.info>, Watson Ladd <watsonbladd@gmail.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
If the distribution can ship with a unique secret seed value, then that resolves the uninitialized rng problem against any attacker who doesn't know that seed value.
To update the seed, I think it's sufficient to initialize /dev/urandom from the seed file and write the first 256 bits of output back to the seed file before any outputs are generated for anything else. That guarantees that /dev/urandom never gets seeded the same way twice.
If possible it would also be nice to have some process wait for the /dev/urandom ready flag to be set (assuming one is added), and then get another 256 bits from /dev/urandom and write those to the seed file. That ensures that the seed file eventually can become unpredictable even to someone who knows the starting value of the seed file.
--John
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
