[Cryptography] [RNG] /dev/random initialisation

Kent Borg kentborg at borg.org
Thu Oct 31 10:31:48 EDT 2013


On 10/30/2013 05:00 PM, Jerry Leichter wrote:
> On Oct 30, 2013, at 4:32 PM, "James A. Donald" <jamesd at echeque.com> wrote:
>> No source of entropy can ever be harmful. The worst that can happen is that it is entirely predictable to the adversary, in which case it does little good, but can never do harm.
> Are you so sure?

You make a good point: If an attacker can feed crafted data as an "it 
can't hurt" entropy source, and if the attacker can draw entropy out, it 
is possible to break the entropy accounting, making it think there is 
more entropy there than there really is.  (Fair summary?)

This then turns the attacker's problem into breaking the hashing or 
encryption that is at the heart of the RNG.

But the problem isn't the extra entropy sources, it is broken accounting.

I want lots of entropy sources.  It makes the attacker's task more 
difficult.  Even if the attacker's job maybe starts out impossible, I 
like making it harder.

> and I'm not sure that a Linux-style generator does.  If you have it ... why would you need to allow additional (allegedly random) sources?

Linux tries hard to not credit "can't hurt" sources.  It doesn't even 
credit the reading of a stored pool at boot.


-kb, the Kent who doesn't like entropy accounting to begin with, it just 
feels like we are fooling outselves.




More information about the cryptography mailing list