[Cryptography] [RNG] /dev/random initialisation

John Kelsey crypto.jmk at gmail.com
Wed Oct 30 23:28:18 EDT 2013 

On Oct 30, 2013, at 2:09 PM, Jerry Leichter <leichter at lrw.com> wrote:

> On Oct 30, 2013, at 8:29 AM, ianG <iang at iang.org> wrote:
>> Do we see a multi-phase approach here?
>> 
>> 1.  Limit the sources to FIPS-authenticated inputs.
>> 2.  Limit the number of sources that can be used.
>> 3.  Do a deal with all major suppliers of FIPS-authenticated inputs.
>> 4.  Profit.
>> 
>> This is looking like the same multi-pronged strategy that sunk DRBG_EC.
> Maybe.  Or maybe we just see a misapplied reasonable principle that any input that could affect sensitive data must be authenticated.

The part of the standard involving entropy sources isn't done yet, but when it is, RBGs really will have to ultimately be fed by an approved entropy source.  The alternative seems to be leaving people in the current situation, where there's more or less no way of knowing how much entropy is being collected, or where it's coming from.  If the entropy source is good, then the RBG should end up secure.  

The restriction on external sources of additional input is pretty obviously a misunderstanding--someone somewhere got confused between entropy source inputs (which need to come from some trusted entropy source) and additional inputs (which can come from anywhere).  

I'm not sure what that "do a deal with fips authenticated inputs"  bit is even supposed to mean.  But this kind of nonsense doesn't have to make sense, it just has to be entertaining.  

> "Never attribute to malice what can be explained by incompetence."  One of the really bad things about the NSA's apparent attempts to subvert crypto is that it leads you to question this assertion.  We just have no way of knowing.

That's true.  But it's also true that security is hard to get right.  Lots and lots of dumb policies and decisions have been accepted or imposed by people who thought they were doing something sensible, but were really making security weaker.  And the bit where people make up conspiracy theories to explain every such failure has zero chance of improving security.  

>                                                        -- Jerry

--John

More information about the cryptography mailing list