[Cryptography] randomness +- entropy

Theodore Ts'o tytso at mit.edu
Mon Nov 4 20:16:29 EST 2013 

On Mon, Nov 04, 2013 at 12:21:00PM -0700, John Denker wrote:
> 
> FWIW note that current Linux distros make no attempt to
> provide a reservoir of true-randomly distributed bits for
> use at the next startup.  There are some efforts toward 
> storing a seed for the kernel PRNG, but the stored seed is 
> itself pseudo-randomly generated, and the kernel correctly
> attributes zero entropy to it.

One of the reasons why we don't attempt to extract "true random bits"
and save them across a reboot is that even we had such bits that were
secure even if the underlying crypto primitives were compromised to a
fare-thee-well, once you write them to the file on the hard drive and
the OS gets shut down, there's no guarantee that an adversary might
not be able to read the bits while the OS is shut down.  Even if you
don't do something truly stupid (such as leaving your laptop
unattended in a hotel room while visiting China), the risk of having
your "true random bits" stolen is probably higher than the
cryptographic primitives getting compromised.

That's probably one of the reasons why people tend to not necessarily
worry about the difference between a CSRNG and a TRNG in practice.
For example, these are the people who believe that we should just
replace Linux's /dev/random with a Fortuna RNG which doesn't even
pretend to try to track entropy estimates, and which fundamentally
assumes that the underlying crypto algorithms are secure, or at least,
not the weakest link to worry about.  (Again, realistically, the
chances that your OS kernel has some 0-day vulnerability that the
NSA's Tailored Access Operations folks have purchased from some black
hat is probably a bigger risk than there being a cryptographic
weakness in AES or SHA that is exploitable given the how we are using
the encryption or crypto hash in Yarrow, Fortuna or Linux's
/dev/random.)

I still think it's worth it to have a /dev/random where we attempt to
make an estimate of the entropy that we've collected and then later
dispensed.  But I recognize that from a engineering perspective, the
distinction is not going to be that important for many people who are
interested in practical security issues.

Regards,

					- Ted

More information about the cryptography mailing list