[Cryptography] The Crypto Pi

[Theodore Ts'o]

At this point, the main justification I see for counting entropy is
(a) as a hueristic to decide when the entropy pool has been
sufficiently initialized in a cold boot / "fresh from the factory"
situation, and you don't have access to a trusted hw random generator
(where I'll ignore for now the question of how to define "trusted" ---
how much *should* you trust Intel's RDRAND or any random number
generator coming out of NIST/NSA after DUAL-EC, etc.?), and (b) as a
rate limiter when deciding how often to pull from a hw random number
generator, since there may be costs in terms of battery life, etc., to
pull from a hw random generator.

For (b) you could talk about this in terms of, "I'll fire up the lava
light generator after extracting N bytes from the RNG" if you want to
avoid using the word "entropy accounting", I suppose.  But the only
real difference is a question of how much you pull from your various
hardware entropy sources after you hit a particuar threshold.  Is it
one byte for every byte extracted?  Is it sufficient to simply pull
256 bits every five minutes?  Regardless of how much rng output you
are exposing to a potential attacker?

The other thing I'll note is that these days, it's considered
fashionable to look down on people who want to do designs based on
various crypto algorithms having unknown weaknesses.  After all,
someone like Snowden has promised us that used correctly, we can trust
the algorithms.  And *surely* that's not a false flag operation.  :-)

But in the early days of the PGP and Linux random number generators,
recall that SHA-1 was a gift from NIST/NSA --- just like DUAL EC was
--- and there was some doubt about what cryptographic guarantees
really could be assumed with those algorithms.  And back then, in a
world where the cryptographic core might not be 100% considered to be
trustworthy, and might be subject to engineered "NOBUS" attacks, using
entropy accounting really isn't that insane of an idea.

Cheers,

						- Ted