[Cryptography] cheap sources of entropy

Bill Stewart bill.stewart at pobox.com
Tue Jan 28 01:23:54 EST 2014


At 07:10 AM 1/21/2014, Theodore Ts'o wrote:
>[1] http://zsoltfabok.com/blog/2013/01/parkinsons-law/
>I'm not sure whether the RNG is better characterized as the "bite
>shed" or the "coffee for refreshments" as described in Parkinson's 3rd
>chapter, "High Finance, or the Point of Vanishing Interest", but I
>know one thing for sure.  It's not the 10 million pound nuclear
>reactor.

It's clearly into bike shed territory, thus the endless discussion.
We've all got ideas about the problem and how to fix it, or how it's 
unfixable,
or at least how somebody else's solution to it is clearly wrong wrong wrong,
unlike the coffee case where we'd have all agreed on a good-enough solution
         ("But I don't like coffee!" "Fine, we'll also order donuts 
and tea." "Ok, whatever.")

I'd be tempted to take the Intel "NSA Inside" RNG, hash each 32 bits 
down to 1,
hash it in with any other available entropy, and call it a day.
Probably simple parity calculation is as good as fancier hashes for that,
but hash in the system clock if you'd like.
Maybe use 128 bits instead of 32 if you don't have any other saved entropy.


-- other comments on paint colours for the bike shed --
There are lots of recommendations for what to do if you can add on hardware,
such as accelerometers (much more useful for cellphones than 
rack-mounted servers,
which are kind of tough to wave around), USB cameras (if you can trust the USB
on your VMware server), sound cards with or without microphones (ditto),
but sometimes you just can't.  There's CPU timing randomness
(not sure how random the low-order bits are in a virtual machine),
clocks aren't all that random, though they can help you against replay attacks,
and for a virtual machine you really need to do something to prevent
everybody from using the same "entropy" seed in their identical images.





More information about the cryptography mailing list