Date: Sun, 23 Jul 2000 12:24:56 +0200 From: Mark Murray <mark@grondar.za> To: Kris Kennaway <kris@FreeBSD.org> Cc: current@FreeBSD.org Subject: Re: randomdev entropy gathering is really weak Message-ID: <200007231024.MAA00503@grimreaper.grondar.za> In-Reply-To: <Pine.BSF.4.21.0007230109131.81127-100000@freefall.freebsd.org> ; from Kris Kennaway <kris@FreeBSD.org> "Sun, 23 Jul 2000 01:21:41 MST." References: <Pine.BSF.4.21.0007230109131.81127-100000@freefall.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> On Sun, 23 Jul 2000, Mark Murray wrote: > > > Erm, read 4.1 again :-). The paragraph that begins "One approach..." is > > the old approach. It is also the approach that you are advocating. > > > > The next paragraph "Yarrow takes..." is Yarrow, and the current > > implementation. > > "The strength of the first approach is that, if properly designed, it is > possible to get unconditional security from the PRNG." "if properly designed" is the key phrase. The previous on was not, and I do not have the cryptographic skill to do so. > This is a good thing :-) In theory :-). In practice, we have no algorithms to go on. > Please understand that this is not a personal attack - I appreciate your > work, and welcome it in FreeBSD. My concern is with what Yarrow does not > do, but which FreeBSD needs: a PRNG which is capable of generating > arbitrarily large keys. We are limited by the rate at which we can harvest entropy. The PC platform has quite close to Jack Shite available if there is no-one one the keyboard. > > How do we fix it? What accumulation algorithm do we use that does not > > clue the reader into what the internal state is? > > I suggest we ask Bruce Schneier instead of bantering back and forth about > the issue. I claim (supported by the quote above) that it's possible to > implement such a system securely and have it co-exist with Yarrow. In theory, yes. I'll ask Schneier. He's already said he'll look at my code when he has the time. > > _My_ point is that the old system is broken, and that IMO Yarrow is a > > good replacement. (I support my point by noting that Schneier is a far > > better cryptographer than I, and he designed the algorithm that I > > implemented). > > Yarrow is a good replacement for /dev/urandom. However it doesn't provide > features which I believe are necessary, namely the ability to generate > high-entropy keys of arbitrary size, without severely impacting on PRNG > performance by constantly reseeding. Here we must agree to differ. :-) Yarrow's data _is_ high entropy. It is indistinguishable from "real" entropy if done right (for the purposes of this argument, I need to assume that Schneier does it right). Yarrow is "attack oriented", which is the correct approach if you want your numbers for crypto and not for (say) science. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007231024.MAA00503>