CPRNGs are still an issue.

Nicolas Williams Nicolas.Williams at sun.com
Wed Dec 17 15:35:26 EST 2008

On Wed, Dec 17, 2008 at 03:02:54PM -0500, Perry E. Metzger wrote:
> The longer I'm in this field, the more the phrase "use with extreme
> caution" seems to mean "don't use" to me. More and more, I think that
> if you don't have a really good way to test and get assurance about a
> component of your security architecture, you should leave that
> component out.

But do beware of becoming something of a luddite w.r.t. entropy sources.

If you can mix seeds into your entropy pool without destroying the
entropy of your pool (and we agree that you can) while adding some of
any entropy in your seeds (and we agree that you can), then why not?

Yes, I saw your other message.  Testing entropy pools and sources is
hard if you want real entropy.  One way to test the pool and its mixing
function is to add and use a hook for supplying test vectors instead of
real entropy for each source.  But to test the operational system, if it
has real entropy sources, is harder.  So you might as well add in a
fixed, manufacture-time seed + time/counter-based salting, as you
suggested.  And you'll still want to test the result, but you can only
apply statistical analysis to the outputs to decide if they're

Having no entropy sources is not a good option for systems where the
threat model requires good entropy sources (e.g., if you want PFS to
prevent compromise of an end-point from compromising pre-compromise
communications).  IMO it's not wise to trivially reject an "all of the
above" approach to entropy gathering.


The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list