[Cryptography] /dev/random has always been a poor design [was Re: randomness +- entropy]

Nemo nemo at self-evident.org
Tue Nov 12 13:27:55 EST 2013 

John Kelsey <crypto.jmk at gmail.com> writes:

> I can't think of many times when it's really appropriate to demand
> full entropy, rather than cryptographically secure bits.

Well now, let's see. The stated intent of /dev/random is for people who
"don't trust the crypto", whatever that means. (I would say another word
for such people is "morons", but never mind.)

For any non-cryptographic purpose, a cryptographically strong
pseudo-random generator is just as good as truly random
data. "Indistinguishable", one might say.

For any cryptographic purpose, you either "trust the crypto" (for some
value of "crypto"), or you are using a one-time pad.

Therefore, there is exactly one application where /dev/random is needed,
and that is for generating one-time pads. Used any lately?

On the other hand, /dev/urandom is never useful for cryptography, since
there is no way to know whether the state has been properly seeded.

This total disaster of a design has been pointed out repeatedly for 15+
years. It is completely obvious, but it has not been fixed because the
Linux /dev/random maintainer(s) *do not understand cryptography*.

For example, when someone in academia identifies some powerful attack
model, shows a PRNG design that thwarts it, and then publishes a paper,
the /dev/random maintainer(s) reaction is always of the form "but if
they could do that, they must have root access on the system blah blah
blah". They will go off on some tangent about the uselessness of formal
software verification or the irrelevance of "academic" proofs or
whatever. Basically, they will demonstrate for the N_th time why they
should never be allowed near any critical code, never mind cryptographic
code.

Then there is the /dev/random implementation: That utterly ad-hoc,
unanalyzable moving target. "NO THAT'S FIXED IN MY TREE! THE AUTHOR
ISN'T USING THE LATEST GIT!!!1!" Seriously?

If organizations like NSA are the adversary, simple designs with
provable attributes are an absolute necessity, because quite frankly
they are smarter than all of us combined. Linux /dev/random is a
liability.

But hey, thanks for trying once more, John. Based on history, there is
zero reason to be optimistic, but I would love to be wrong.

 - Nemo
   https://self-evident.org/

More information about the cryptography mailing list