[Cryptography] Random numbers only once

John Kelsey crypto.jmk at gmail.com
Fri Feb 21 01:12:20 EST 2014

> On Feb 20, 2014, at 8:54 PM, Peter Gutmann <pgut001 at cs.auckland.ac.nz> wrote:
> John Kelsey <crypto.jmk at gmail.com> writes:
>> If the pool doesn't have enough entropy, it *has* to block or return an error
>> code or something.
> Translated:
>  If some obscure system component the user has never heard of before doesn't
>  have enough zarglemorf, it has the stop the system from functioning.
> It's fair enough to make this a theoretical requirement, but it'll never fly
> in practice.

Well, it's not a requirement for 99%+ of uses of random numbers.  But before you generate a crypto key, you need at least 128 or so bits of entropy that haven't been used to generate any other outputs, so that you can seed an RNG.  If you don't have that, and you seed the RNG and generate the crypto key anyway, you get something that looks just like real crypto, except that there are attackers who can sign messages coming from you or read your encrypted mail, and every now and then some smartass academic will be factoring thousands of your devices' RSA keys because they all share primes.  

The best answer I see to this is a hardware entropy source built into everything, combined with whatever entropy can be collected in time to seed a good DRBG.

> Peter.


More information about the cryptography mailing list