[Cryptography] randomness +- entropy
Theodore Ts'o
tytso at mit.edu
Thu Nov 7 14:50:23 EST 2013
On Thu, Nov 07, 2013 at 11:41:02AM +0200, Yaron Sheffer wrote:
>
> When this Minstrel guy reads urandom (which only has 23 bits of
> entropy at the time), do you reset the entropy estimate to 0? If you
> don't, and Minstrel broadcasts the random value somehow (in this
> case, as a timing value) an attacker can easily discover the first
> 23 bits of entropy which would make guessing the PRNG value of the
> next consumer much easier.
Yes, we do. The minstrel driver is using get_random_bytes(), which
does decrement the entropy.
The bigger problem is that it doesn't call it once --- it calls it
several dozens times, so it basically drains the entropy all the way
down to zero. So if it doesn't need security random numbers, I'd much
rather get it using prng so we don't waste the entropy, so that
urandom can get fully initialized more quickly.
- Ted
More information about the cryptography
mailing list