From owner-freebsd-current@FreeBSD.ORG  Thu Aug  5 14:32:51 2004
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Delivered-To: freebsd-current@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP
	id DA47816A4CE; Thu,  5 Aug 2004 14:32:51 +0000 (GMT)
Received: from saturn.criticalmagic.com (saturn.criticalmagic.com
	[64.74.124.105])	by mx1.FreeBSD.org (Postfix) with ESMTP
	id 9825843D2F; Thu,  5 Aug 2004 14:32:51 +0000 (GMT)
	(envelope-from rcoleman@criticalmagic.com)
Received: from [127.0.0.1] (c-24-99-11-35.atl.client2.attbi.com [24.99.11.35])
	by saturn.criticalmagic.com (Postfix) with ESMTP id DC9683BD10;
	Thu,  5 Aug 2004 10:32:50 -0400 (EDT)
Message-ID: <4112454D.7000507@criticalmagic.com>
Date: Thu, 05 Aug 2004 10:33:49 -0400
From: Richard Coleman <rcoleman@criticalmagic.com>
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US;
	rv:1.7.1) Gecko/20040707
X-Accept-Language: en-us, en
MIME-Version: 1.0
To: Sam Leffler <sam@errno.com>
References: <Pine.NEB.3.96L.1040804234812.19039J-100000@fledge.watson.org>
	<200408042139.52577.sam@errno.com>
In-Reply-To: <200408042139.52577.sam@errno.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
cc: freebsd-current@freebsd.org
cc: Robert Watson <rwatson@freebsd.org>
Subject: Re: So much entropy it's coming out of our ears?
X-BeenThere: freebsd-current@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Discussions about the use of FreeBSD-current
	<freebsd-current.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-current>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Help: <mailto:freebsd-current-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-current>,
	<mailto:freebsd-current-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 05 Aug 2004 14:32:52 -0000

Sam Leffler wrote:

>  gathering through fast paths. I've suggested for a long time that
>  this sort of collection should be enabled only under dire
>  circumstances and never by default. Regardless the last time I
>  looked at the entropy harvesting it used a model where entropy was
>  unilateraly sent for harvest and discarded when too plentiful. I
>  term this the "push model". I've advocated a "pull model" where the
>  PRNG requests entropy when a low water mark is hit and/or a hybrid
>  scheme where producers have some sort of flow control or feedback
>  mechanism.
>
>  Everything that goes on inside the PRNG is a separate issue.
>
>  Sam


In general, by using a push model, you open yourself up to the possibility
that the attacker could exhaust the entropy at just the right time so he can
control what entropy is harvested on the next run of the PRNG.  But in this
case, we might be able to get away with it, since the PRNG is still
cryptographically strong even when there is no new entropy flowing into the
system (as long at the attacker doesn't know the initial state of the pool).
Rekeying and reseeding the pool are primarily to give you forward security
and to recover if the entropy pool has been compromised.

But a push system is still better if it doesn't impact performance too much.

Richard Coleman
rcoleman@criticalmagic.com