[Cryptography] randomness +- entropy

[ianG]

On 9/11/13 00:12 AM, Theodore Ts'o wrote:
...
> There are some further changes that could be made, and which I am
> thinking about.  Part of this includes using AES for /dev/urandom,
> since we now have CPU's with AES acceleration, and we no longer need
> to worry as much about export control laws (the current design was
> implemented in 1994, back when crypto export was a real issue).

(nod)

> One
> of the things that is holding me back is that currently the Crypto
> layer in Linux is optional, and can be compiled as a module, and I've
> always wanted to make sure /dev/random was something user progams
> could always count on being there.  So there are some negotiations I
> need to make with the maintainers of the Crypto subsystem about how to
> make this all work, since it would require making such changes in how
> the Crypto layer is configured.


I would recommend you not call the methods in the Crypto subsystem, and 
not negotiate with the developers at all.  Simply copy the AES code 
across (from anywhere) and duplicate it so that you have complete 
independence and complete control.  Interdependencies between security 
modules are a sin, and code reuse while nice is not a good enough reason 
to complicate the net of dependencies underneath the security surface.

Also, your use of the AES algorithm is entirely distinct to theirs.  You 
only go one way, like a hash, theirs is two way, encrypt and decrypt, 
reversibly.  You may be able to happily strip out parts of AES in order 
to get a better efficiency, they cannot.  E.g., it may be possible to 
use less of the code and more of the AES instructions directly to get 
all you need (I don't know, I'm just speculating here...).



iang