[148075] in cryptography@c2.net mail archive
Re: [Cryptography] randomness +- entropy
daemon@ATHENA.MIT.EDU (Hannes Frederic Sowa)
Thu Nov 7 15:52:06 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 7 Nov 2013 20:57:34 +0100
From: Hannes Frederic Sowa <hannes@stressinduktion.org>
To: Theodore Ts'o <tytso@mit.edu>
In-Reply-To: <20131107195023.GA18228@thunk.org>
Cc: Cryptography <cryptography@metzdowd.com>,
John Kelsey <crypto.jmk@gmail.com>, Watson Ladd <watsonbladd@gmail.com>,
Yaron Sheffer <yaronf.ietf@gmail.com>,
RNG mlist <rng@lists.bitrot.info>, John Denker <jsd@av8n.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Thu, Nov 07, 2013 at 02:50:23PM -0500, Theodore Ts'o wrote:
> On Thu, Nov 07, 2013 at 11:41:02AM +0200, Yaron Sheffer wrote:
> >
> > When this Minstrel guy reads urandom (which only has 23 bits of
> > entropy at the time), do you reset the entropy estimate to 0? If you
> > don't, and Minstrel broadcasts the random value somehow (in this
> > case, as a timing value) an attacker can easily discover the first
> > 23 bits of entropy which would make guessing the PRNG value of the
> > next consumer much easier.
>
> Yes, we do. The minstrel driver is using get_random_bytes(), which
> does decrement the entropy.
Ah sorry, yes you are right. I just mixed get_random_bytes up with
prandom_u32(). I take back my previous statement.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography