[Cryptography] RFC possible changes for Linux random device
John Denker
jsd at av8n.com
Tue Sep 16 06:43:30 EDT 2014
Executive summary: In any PRNG, it is necessary to be
fastidious about the distinction between entropy on
the one hand and pseudo-randomness on the other hand.
The idea of having a wasteful PRNG /per process/ is very
much open to question.
On Mon, Sep 15, 2014 at 3:20 PM, Theodore Ts'o <tytso at mit.edu> wrote:
>> Something to think about in terms of doing this as a very simple
>> change. I've considered for a while the thought of using a
>> per-process key, ...
>>
>> That way, there's absolutely no question that a heavy entropy user
>> from one process would influence the random number stream that would
>> be made available to another process.
On 09/15/2014 08:05 PM, Sandy Harris wrote:
> That is a very good idea.
I don't see how it solves the main problem.
One problem I see is that /dev/urandom wastes entropy,
by which I mean real entropy.
-- If the problem gets solved, it can perfectly well
be solved on a per-host basis. Solving it on a
per-process basis doesn't help.
-- If the problem remains unsolved, it is at least
as bad on a per-process basis as on a per-host
basis. In fact it could be worse, if we have a
lot of entropy-wasters running in parallel.
When entropy is scarce, as it often is, deciding who gets
how much becomes a policy issue, essentially an economics
issue. Doing things on a per-process basis is neither
necessary nor sufficient. For one thing, even within a
single process there can be multiple randomness-consumers,
each with different needs, each subject to different
policies.
>> a heavy entropy user [1]
That's not the right way to frame the discussion. The
statement refers to the output of the PRNG, which is
not properly called entropy. It contains a lot of
randomness, but very little entropy.
Note: If I thought the word "entropy" in statement [1]
was merely a typo I wouldn't be mentioning it.
Similarly: If I thought it were merely a misnomer I
wouldn't be mentioning it. Terminology is not very
important ... except insofar as it affects how we
formulate and communicate ideas.
I mention it because it seems to be a misconception,
not just a misnomer.
There is a crucial distinction here:
*) The output of a TRNG has an entropy density of
(100% minus epsilon).
*) The output of a PRNG has an entropy density of
(0% plus epsilon).
In any PRNG it is necessary to be fastidious about
this distinction, and to manage the entropy carefully.
The existing random.c fails to do this. In the past
I have made specific constructive suggestions about
this off-list, to no effect AFAICT.
Bottom line:
++ Please let's be fastidious about the distinction
between entropy on the one hand and pseudo-randomness
on the other hand.
++ The idea of having an wasteful PRNG /per process/
is very much open to question.
More information about the cryptography
mailing list