[148077] in cryptography@c2.net mail archive
Re: [Cryptography] randomness +- entropy
daemon@ATHENA.MIT.EDU (Theodore Ts'o)
Thu Nov 7 15:53:42 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 7 Nov 2013 14:50:23 -0500
From: Theodore Ts'o <tytso@mit.edu>
To: Yaron Sheffer <yaronf.ietf@gmail.com>
In-Reply-To: <527B602E.6090604@gmail.com>
X-SA-Exim-Mail-From: tytso@thunk.org
Cc: Cryptography <cryptography@metzdowd.com>,
John Kelsey <crypto.jmk@gmail.com>, Watson Ladd <watsonbladd@gmail.com>,
RNG mlist <rng@lists.bitrot.info>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
John Denker <jsd@av8n.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Thu, Nov 07, 2013 at 11:41:02AM +0200, Yaron Sheffer wrote:
>
> When this Minstrel guy reads urandom (which only has 23 bits of
> entropy at the time), do you reset the entropy estimate to 0? If you
> don't, and Minstrel broadcasts the random value somehow (in this
> case, as a timing value) an attacker can easily discover the first
> 23 bits of entropy which would make guessing the PRNG value of the
> next consumer much easier.
Yes, we do. The minstrel driver is using get_random_bytes(), which
does decrement the entropy.
The bigger problem is that it doesn't call it once --- it calls it
several dozens times, so it basically drains the entropy all the way
down to zero. So if it doesn't need security random numbers, I'd much
rather get it using prng so we don't waste the entropy, so that
urandom can get fully initialized more quickly.
- Ted
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
