From owner-freebsd-current  Sat Jul 22 15:11:42 2000
Delivered-To: freebsd-current@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id 3D4BA37B582; Sat, 22 Jul 2000 15:11:40 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA28590;
	Sat, 22 Jul 2000 15:11:40 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Sat, 22 Jul 2000 15:11:39 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Mark Murray <mark@grondar.za>
Cc: current@FreeBSD.org
Subject: Re: randomdev entropy gathering is really weak 
In-Reply-To: <200007221200.OAA06345@grimreaper.grondar.za>
Message-ID: <Pine.BSF.4.21.0007221504060.26717-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sat, 22 Jul 2000, Mark Murray wrote:

> > So what it if I want/need 257 bits? :-)
> 
> Read them. You'll get them. If you want higher quality randomness than
> Yarrow gives, read more than once. Do other stuff; play. Don't get stuck
> in the "I have exhausted the randomness pool" loop; Yarrow does not play
> that game.

I think you're missing the point. The only way I can get a random number
with more than n bits of entropy out of Yarrow-n is if I sample either
side of a reseed operation, which in general comes down to timing
guesswork and having to make assumptions about the PRNG implementation.

If you want to generate a cryptographic key of length n bits then you
really want >n bits of entropy in the random source you're deriving it
from, otherwise your key is actually much weaker than advertised because
it's easier for the attacker to attack the state of the PRNG that derived
it than to attack the key itself.

> >From the Yarrow paper:
> ``Yarrow's outputs are cryptographically derived. Systems that use Yarrow's
> outputs are no more secure than the generation mechanism used.''
> 
> We currently have Yarrow-256(Blowfish); wanna make it Yarrow-1024? I could
> make it so.

Well, if we did that then how about generating 2048-bit keys? :-)

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message