chip-level randomness?
Ben Laurie
ben at algroup.co.uk
Mon Sep 24 06:04:46 EDT 2001
Bram Cohen wrote:
>
> On Wed, 19 Sep 2001, Peter Fairbrother wrote:
>
> > Bram Cohen wrote:
> >
> > > You only have to do it once at startup to get enough entropy in there.
> >
> > If your machine is left on for months or years the seed entropy would become
> > a big target. If your PRNG status is compromised then all future uses of
> > PRNG output are compromised, which means pretty much everything crypto.
> > Other attacks on the PRNG become possible.
>
> Such attacks can be stopped by reseeding once a minute or so, at much less
> computational cost than doing it 'continuously'. I think periodic
> reseedings are worth doing, even though I've never actually heard of an
> attack on the internal state of a PRNG which was launched *after* it had
> been seeded properly once already.
There was a bug in OpenSSL's PRNG (and BSAFEs) which permitted recovery
of the internal state from a largish number of small outputs. It has
been fixed, of course.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at wasabisystems.com
More information about the cryptography
mailing list