[Cryptography] randomness +- entropy

Watson Ladd watsonbladd at gmail.com
Mon Nov 4 23:46:05 EST 2013 

On Mon, Nov 4, 2013 at 5:16 PM, Theodore Ts'o <tytso at mit.edu> wrote:
> On Mon, Nov 04, 2013 at 12:21:00PM -0700, John Denker wrote:
>>
>> FWIW note that current Linux distros make no attempt to
>> provide a reservoir of true-randomly distributed bits for
>> use at the next startup.  There are some efforts toward
>> storing a seed for the kernel PRNG, but the stored seed is
>> itself pseudo-randomly generated, and the kernel correctly
>> attributes zero entropy to it.
>
> One of the reasons why we don't attempt to extract "true random bits"
> and save them across a reboot is that even we had such bits that were
> secure even if the underlying crypto primitives were compromised to a
> fare-thee-well, once you write them to the file on the hard drive and
> the OS gets shut down, there's no guarantee that an adversary might
> not be able to read the bits while the OS is shut down.  Even if you
> don't do something truly stupid (such as leaving your laptop
> unattended in a hotel room while visiting China), the risk of having
> your "true random bits" stolen is probably higher than the
> cryptographic primitives getting compromised.
>
> That's probably one of the reasons why people tend to not necessarily
> worry about the difference between a CSRNG and a TRNG in practice.
> For example, these are the people who believe that we should just
> replace Linux's /dev/random with a Fortuna RNG which doesn't even
> pretend to try to track entropy estimates, and which fundamentally
> assumes that the underlying crypto algorithms are secure, or at least,
> not the weakest link to worry about.  (Again, realistically, the
> chances that your OS kernel has some 0-day vulnerability that the
> NSA's Tailored Access Operations folks have purchased from some black
> hat is probably a bigger risk than there being a cryptographic
> weakness in AES or SHA that is exploitable given the how we are using
> the encryption or crypto hash in Yarrow, Fortuna or Linux's
> /dev/random.)
Where do seeds come from?
>
> I still think it's worth it to have a /dev/random where we attempt to
> make an estimate of the entropy that we've collected and then later
> dispensed.  But I recognize that from a engineering perspective, the
> distinction is not going to be that important for many people who are
> interested in practical security issues.
I'm sorry: Did the Mind your P's and Q's paper escape everyone on this list?
There are thousands of devices out there generating keys on first-power on
with insufficient entropy, with observable deleterious effects.

This problem needs to be solved, and the only way to do it is to find
or add sources of randomness to the hardware and have the kernel
use them, as well as a critical failure if they do not exist/are not sufficient.
>
> Regards,
>
>                                         - Ted
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography



-- 
"Those who would give up Essential Liberty to purchase a little
Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

More information about the cryptography mailing list