[Cryptography] randomness +- entropy
John Kelsey
crypto.jmk at gmail.com
Wed Nov 6 18:40:18 EST 2013
If the distribution can ship with a unique secret seed value, then that resolves the uninitialized rng problem against any attacker who doesn't know that seed value.
To update the seed, I think it's sufficient to initialize /dev/urandom from the seed file and write the first 256 bits of output back to the seed file before any outputs are generated for anything else. That guarantees that /dev/urandom never gets seeded the same way twice.
If possible it would also be nice to have some process wait for the /dev/urandom ready flag to be set (assuming one is added), and then get another 256 bits from /dev/urandom and write those to the seed file. That ensures that the seed file eventually can become unpredictable even to someone who knows the starting value of the seed file.
--John
More information about the cryptography
mailing list