Date: Sun, 23 Jul 2000 01:21:41 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: Mark Murray <mark@grondar.za> Cc: current@FreeBSD.org Subject: Re: randomdev entropy gathering is really weak Message-ID: <Pine.BSF.4.21.0007230109131.81127-100000@freefall.freebsd.org> In-Reply-To: <200007230805.KAA02107@grimreaper.grondar.za>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 23 Jul 2000, Mark Murray wrote:
> Erm, read 4.1 again :-). The paragraph that begins "One approach..." is
> the old approach. It is also the approach that you are advocating.
>
> The next paragraph "Yarrow takes..." is Yarrow, and the current
> implementation.
"The strength of the first approach is that, if properly designed, it is
possible to get unconditional security from the PRNG."
This is a good thing :-)
> It should not use the old method, which is attackable for many
> reasons that Schneier makes clear. (Effectively a 128 bit hash with
> a reseed ("stir") every read. Can you spell "Iterative attack"? :-) ).
>
> Where does that leave us?
>
> How good were our old numbers? How many users have I screwed by
> implementing that system?
Please understand that this is not a personal attack - I appreciate your
work, and welcome it in FreeBSD. My concern is with what Yarrow does not
do, but which FreeBSD needs: a PRNG which is capable of generating
arbitrarily large keys.
> How do we fix it? What accumulation algorithm do we use that does not
> clue the reader into what the internal state is?
I suggest we ask Bruce Schneier instead of bantering back and forth about
the issue. I claim (supported by the quote above) that it's possible to
implement such a system securely and have it co-exist with Yarrow.
> _My_ point is that the old system is broken, and that IMO Yarrow is a
> good replacement. (I support my point by noting that Schneier is a far
> better cryptographer than I, and he designed the algorithm that I
> implemented).
Yarrow is a good replacement for /dev/urandom. However it doesn't provide
features which I believe are necessary, namely the ability to generate
high-entropy keys of arbitrary size, without severely impacting on PRNG
performance by constantly reseeding.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007230109131.81127-100000>