From owner-freebsd-current Sun Jul 23 1:21:44 2000 Delivered-To: freebsd-current@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8BC7537B96F; Sun, 23 Jul 2000 01:21:41 -0700 (PDT) (envelope-from kris@FreeBSD.org) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id BAA85964; Sun, 23 Jul 2000 01:21:41 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Sun, 23 Jul 2000 01:21:41 -0700 (PDT) From: Kris Kennaway To: Mark Murray Cc: current@FreeBSD.org Subject: Re: randomdev entropy gathering is really weak In-Reply-To: <200007230805.KAA02107@grimreaper.grondar.za> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Sun, 23 Jul 2000, Mark Murray wrote: > Erm, read 4.1 again :-). The paragraph that begins "One approach..." is > the old approach. It is also the approach that you are advocating. > > The next paragraph "Yarrow takes..." is Yarrow, and the current > implementation. "The strength of the first approach is that, if properly designed, it is possible to get unconditional security from the PRNG." This is a good thing :-) > It should not use the old method, which is attackable for many > reasons that Schneier makes clear. (Effectively a 128 bit hash with > a reseed ("stir") every read. Can you spell "Iterative attack"? :-) ). > > Where does that leave us? > > How good were our old numbers? How many users have I screwed by > implementing that system? Please understand that this is not a personal attack - I appreciate your work, and welcome it in FreeBSD. My concern is with what Yarrow does not do, but which FreeBSD needs: a PRNG which is capable of generating arbitrarily large keys. > How do we fix it? What accumulation algorithm do we use that does not > clue the reader into what the internal state is? I suggest we ask Bruce Schneier instead of bantering back and forth about the issue. I claim (supported by the quote above) that it's possible to implement such a system securely and have it co-exist with Yarrow. > _My_ point is that the old system is broken, and that IMO Yarrow is a > good replacement. (I support my point by noting that Schneier is a far > better cryptographer than I, and he designed the algorithm that I > implemented). Yarrow is a good replacement for /dev/urandom. However it doesn't provide features which I believe are necessary, namely the ability to generate high-entropy keys of arbitrary size, without severely impacting on PRNG performance by constantly reseeding. Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message