entropy depletion (was: SSL/TLS passive sniffing)
Enzo Michelangeli
em at em.no-ip.com
Thu Jan 6 03:35:05 EST 2005
----- Original Message -----
From: "John Denker" <jsd at av8n.com>
Sent: Thursday, January 06, 2005 3:06 AM
> Enzo Michelangeli wrote:
[...]
> > If the PRNG uses a
> > really non-invertible algorithm (or one invertible only
> > with intractable complexity), its output gives no insight
> > whatsoever on its internal state.
>
> That is an invalid argument. The output is not the only source of
> insight as to the internal state. As discussed at
> http://www.av8n.com/turbid/paper/turbid.htm#sec-prng-attack
> attacks against PRNGs can be classified as follows:
> 1. Improper seeding, i.e. internal state never properly initialized.
> 2. Leakage of the internal state over time. This rarely involves
> direct cryptanalytic attack on the one-way function, leading to
> leakage through the PRNG’s output channel. More commonly it
> involves side-channels.
> 3. Improper stretching of limited entropy supplies, i.e. improper
> reseeding of the PRNG, and other re-use of things that ought not
> be re-used.
> 4. Bad side effects.
>
> There is a long record of successful attacks against PRNGs (op cit.).
Yes, but those are implementation flaws. Also a true RNG could present
weaknesses and be attacked (e.g., with strong EM fields overcoming the
noise of its sound card; not to mention vulnerabilities induced by the
quirks you discuss at
http://www.av8n.com/turbid/paper/turbid.htm#sec-quirks).
Anyway, I was not saying "RNG's are useless because PRNG's are more than
enough": the scope of my question was much narrower, and concerned the
concept of "entropy depletion".
> I'm not saying that the problems cannot be overcome,
> but the cost and bother of overcoming them may be such
> that you decide it's easier (and better!) to implement
> an industrial-strength high-entropy symbol generator.
Sure, I don't disagree with that.
> > As entropy is a measure of the information we don't have about the
> > internal state of a system,
>
> That is the correct definition of entropy ... but it must be correctly
> interpreted and correctly applied; see below.
>
> > it seems to me that in a good PRNGD its value
> > cannot be reduced just by extracting output bits. If there
> > is an entropy estimator based on the number of bits extracted,
> > that estimator must be flawed.
>
> You're letting your intuition about "usable randomness" run roughshod
> over the formal definition of entropy. Taking bits out of the PRNG
> *does* reduce its entropy.
By how much exactly? I'd say, _under the hypothesis that the one-way
function can't be broken and other attacks fail_, exactly zero; in the
real world, maybe a little more. But in
/usr/src/linux/drivers/char/random.c I see that the extract_entropy()
function, directly called by the exported kernel interface
get_random_bytes(), states:
if (r->entropy_count / 8 >= nbytes)
r->entropy_count -= nbytes*8;
else
r->entropy_count = 0;
...which appears to assume that the pool's entropy (the upper bound of
which is POOLBITS, defined equal to 4096) drops by a figure equal to the
number of bits that are extracted (nbytes*8). This would only make sense
if those bits weren't passed through one-way hashing. Perhaps, a great
deal of blockage problems when using /dev/random would go away with a more
realistic estimate.
Enzo
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list