[Cryptography] Not everything is Linux (was: Re: cheap sources of entropy)

Paul Hoffman paul.hoffman at vpnc.org
Tue Jan 28 21:35:40 EST 2014


On Jan 28, 2014, at 6:09 PM, John Kelsey <crypto.jmk at gmail.com> wrote:

> Unfortunately, pretty much all real-world systems have some time (often very soon after their first startup) when they have to generate some high value key.  

One of the threads earlier on this meta-topic pointed out that this does not need to be true: keying sshd during the first boot of a system is handy but often completely unnecessary; it obviously can be dangerous.

> To a first approximation, the only entropy estimate that really matters is the one used to decide whether there's enough entropy to generate that key.  We have worked examples of crypto libraries which don't bother making sure they have enough entropy (by reading /dev/random), but instead just draw a seed from /dev/urandom and hope for the best, so even getting your crypto libraries to bother to check if they have entropy is not trivial.  

This is part of the reasoning for the design of some non-Linux systems to not assume that application developers understand this. On all recent FreeBSDs:

# dir /dev | grep random
crw-rw-rw-   1 root  wheel     0x14 Oct  7 07:01 random
lrwxr-xr-x   1 root  wheel        6 Oct  7 14:00 urandom -> random

> Fortuna is an elegant and clever solution to the wrong problem.

Exactly.

--Paul Hoffman


More information about the cryptography mailing list