[Cryptography] RFC possible changes for Linux random device
Jerry Leichter
leichter at lrw.com
Tue Sep 16 11:17:01 EDT 2014
On Sep 16, 2014, at 10:40 AM, Paul Wouters <paul at cypherpunks.ca> wrote:
>> If this is successful, in order to generate N bytes
>> of randomness, encrypt using ctr(aes) a buffer filled with RDRAND (if
>> available) or all zero's (if not).
>
> so if you had all zeroes, now you have something that looks random but
> is totally non-random? Why would you do that?
Yes, I'm guessing that this wasn't intended to be the whole proposal. My assumption is that the system call will return a success/failure status, and that this describes the failure case: Beyond returning a status, it *also* clears the output buffer.
Properly written code will check the status and proceed in some appropriate way on failure; so what's in the buffer doesn't matter. Code that doesn't check the status - and *no one* writes code like that any more, right? :-( - will at least end up with the most obvious possible "bad randomness": Always all zeros. Perhaps whoever it talks to will notice....
-- Jerry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4813 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20140916/0b6ebb79/attachment.bin>
More information about the cryptography
mailing list