CPRNGs are still an issue.

Damien Miller djm at mindrot.org
Tue Dec 16 17:42:38 EST 2008

On Tue, 16 Dec 2008, mheyman at gmail.com wrote:

> On Thu, Dec 11, 2008 at 8:42 PM, Damien Miller <djm at mindrot.org> wrote:
> > On Thu, 11 Dec 2008, James A. Donald wrote:
> >
> >> If one uses a higher resolution counter - sub
> >> microsecond - and times multiple disk accesses, one gets
> >> true physical randomness, since disk access times are
> >> effected by turbulence, which is physically true
> >> random.
> >
> > Until someone runs your software on a SSD instead of a HDD. Oops.
> >
> Before we give up on using drive timings, does anyone have evidence to
> verify this assertion? The reviews I have seen using tools like HD
> Tune and HD Tach seem to show timing noise reading and writing SSDs. I
> don't know where the noise comes from - it is probably not turbulence
> <grin/> - but it may be random enough that a long series of tests, say
> for a second or so (don't forget, these drives are fast), could
> provide a nice pool of unguessable bits.

I think you have it quite backwards - in the absence of good evidence
that transaction timings on SSDs are dependent on some physically
unpredictable process (air turbulence, shot noise, etc.) then they
should not be considered suitable for cryptographic use, no matter how
"random looking" they are.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list