[Cryptography] cheap sources of entropy
John Kelsey
crypto.jmk at gmail.com
Tue Jan 28 21:09:48 EST 2014
On Jan 28, 2014, at 5:41 PM, Krisztián Pintér <pinterkr at gmail.com> wrote
> that might prove itself harder than it seems, if we don't have a good
> estimate on the entropy. there is a solution though. fortuna rng does
> it in a very clever way, it runs 32 parallel entropy collectors. it
> uses the first of them for every reseeding. it uses the second one for
> every second reseedings. it uses the third for every fourth
> reseedings, and so on. even if we have no clue about the entropy
> production, it will eventually recover from a compromised state.
Unfortunately, pretty much all real-world systems have some time (often very soon after their first startup) when they have to generate some high value key. To a first approximation, the only entropy estimate that really matters is the one used to decide whether there's enough entropy to generate that key. We have worked examples of crypto libraries which don't bother making sure they have enough entropy (by reading /dev/random), but instead just draw a seed from /dev/urandom and hope for the best, so even getting your crypto libraries to bother to check if they have entropy is not trivial.
Fortuna is an elegant and clever solution to the wrong problem.
--John
> _______________________________________________
> The cryptography mailing list
> cryptography at metzdowd.com
> http://www.metzdowd.com/mailman/listinfo/cryptography
More information about the cryptography
mailing list