[Cryptography] randomness +- entropy

[John Kelsey]

On Nov 5, 2013, at 12:01 AM, Theodore Ts'o <tytso at mit.edu> wrote:

> On Mon, Nov 04, 2013 at 08:46:05PM -0800, Watson Ladd wrote:
>> I'm sorry: Did the Mind your P's and Q's paper escape everyone on this list?
>> There are thousands of devices out there generating keys on first-power on
>> with insufficient entropy, with observable deleterious effects.
> 
> Sure, we need enough entropy to seed the /dev/urandom device.  And
> there's been quite a lot of work to improve things since the P's and
> Q's paper.  The distinction that I was talking about is whether every
> single bit that is returned from /dev/random should correspond to bits
> of entropy gathered from the system (and where you block until the
> system has been able to gather enoguh entropy to satisfy the request),
> or whether you depend on the cryptographic algorithms for your
> security once the CSRNG has been sufficiently well seeded (which is
> what /dev/urandom in Linux is intended to do, as contrasted with the
> /dev/random device).

Is there any way for a program to find out if /dev/urandom has been seeded properly?  

It seems like the alternative for a developer is either hope /dev/urandom has gotten to a secure point before he reads his PRNG seed from it, or get his PRNG seed from /dev/urandom and potentially block, and also potentially make other stuff block.  But there isn't really any reason for that, right? If I want to initialize a cryptographic PRNG, or generate a RSA key, or whatever, I am shooting for computational security, which /dev/urandom should give me *once it has reached a secure state*.  I don't need full-entropy bits--I'm not generating a one-time pad or something.  I just need something that is impossible to guess without more computing power than my attacker has. 

--John