[Cryptography] RFC possible changes for Linux random device
Theodore Ts'o
tytso at mit.edu
Tue Sep 16 11:45:56 EDT 2014
On Tue, Sep 16, 2014 at 01:56:35PM +0200, CodesInChaos wrote:
>
> I like having a secure RNG that's fast, even for short messages,
> so I like the idea in principle.
> Getting rid of all those fragile fork related hacks is very nice as well.
>
> Might have been lost in the summary, but using a fixed key is not a good idea
> since it doesn't offer forward secrecy.
>
> The simplest way to avoid that is using the first 32 bytes of output
> as new key, pretty similar to what fortuna uses.
My thinking was to reseed the PRNG by regenerating the key
periodically. How often is "periodically" is an open question.
> The problem with that is overwriting the key is that it requires
> synchronization or thread local keys to ensure thread safety.
This is hanging off the per-thread task structure, so there is no
synchronization problems. This is the one advantage of doing this in
the kernel....
- Ted
More information about the cryptography
mailing list