[Cryptography] Random numbers only once

John Kelsey crypto.jmk at gmail.com
Thu Feb 20 17:18:31 EST 2014

> On Feb 4, 2014, at 2:19 AM, Tony Arcieri <bascule at gmail.com> wrote:
>> On Mon, Feb 3, 2014 at 9:12 PM, Watson Ladd <watsonbladd at gmail.com> wrote:
>> Why does /dev/random not do this and so avoid blocking after startup?
> The /dev/random vs /dev/urandom distinction is probably a mistake. Also making these things files in /dev is also probably a mistake. Ideally there would just be a system call to obtain some randomness from the kernel, then an awful lot of work to ensure that randomness is good. It shouldn't block.

If the pool doesn't have enough entropy, it *has* to block or return an error code or something. Otherwise, we get back into the realm of the bug that led to all those appliance routers and firewalls sharing primes in their RSA moduli.

Now, if you have a hardware RNG and you're willing to trust it, you can avoid blocking, since the hardware RNG is surely going to be able to give you 256 bits of entropy very quickly, and you can use that to seed AES256 CTR-DRBG or SHA256 HMAC-DRBG, and from there you have as many bits as you need.  

If you have a hardware RNG and don't want to trust it, then you're back to either blocking or generating output bits you don't fully trust. 

> Tony Arcieri

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140220/909afa82/attachment.html>

More information about the cryptography mailing list