Date: Sun, 27 Aug 2000 12:57:54 -0400 From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> To: Mark Murray <mark@grondar.za> Cc: Adam Back <adam@cypherspace.org>, current@FreeBSD.ORG, kris@FreeBSD.ORG Subject: Re: yarrow & /dev/random Message-ID: <39A94892.EB61FC4A@vangelderen.org> References: <200008262349.SAA06044@cypherspace.org> <200008270735.e7R7ZXp28310@grimreaper.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
Mark Murray wrote:
[...]
> Again, I'm not so sure; Yarrow goes to great trouble to protect its
> internal state; by blocking, I have this very nasty suspicion that
> this carefully guarded state is being disclosed. The moment you block,
> you are confiding in the fact that you have no updating entropy, and
> as a result /dev/urandom gan be attacked to get the internal state.
You would normally assume that an attacker knows when you are
not adding in entropy. In Yarrow, the assumption is that the
internal state is (sufficiently) protected by both a hash and
the blockcipher so blocking will not affect Yarrow's security
properties AFAICS.
Yes, /dev/urandom can be attacked at the point of blocking but
given robust primitives the complexity is still 2^(sizeof(hash))
which is exactly the complexity Yarrow claims to provide. This
is completely independent of any knowledge of reseed timings (or
lack thereof).
Cheers,
Jeroen
--
Jeroen C. van Gelderen o _ _ _
jeroen@vangelderen.org _o /\_ _ \\o (_)\__/o (_)
_< \_ _>(_) (_)/<_ \_| \ _|/' \/
(_)>(_) (_) (_) (_) (_)' _\o_
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?39A94892.EB61FC4A>