[Cryptography] OpenSSL and random

[Peter Gutmann]

Ray Dillinger <bear at sonic.net> writes:

>For those who don't chase email links ever, or who do but didn't recognize
>the above host so refrained, the short version of the story is that
>getrandom() blocks unless sufficient initial entropy has been collected, but
>is nonblocking forever after.  Which is, IMO, the right thing.

As others have pointed out, it's not the right thing, because it turns
getrandom() into make_application_crash_at_random() (if your application hangs
then to users it's crashed, no matter what you may want to call it).  Would
you want to ship a product to customers that calls
make_application_crash_at_random()?

>As written, it regards 128 bits as sufficient initial entropy. 

Why 128 bits?  What if it's less?  Lets say you never block, which means you
could run on, say, 32 bits of entropy early on.  Given the information
"somewhere on the Internet there may be a system that may be running with
lowered entropy in the RNG", how would an attacker exploit this?

(What I'm pointing out there is that it seems to be an unassailable article of
faith that your PRNG needs to have 128 bits of entropy as defined by
$something in order to work.  Why?  What's the threat if some random system
somewhere on earth has 127 bits?  80 bits?  56 bits?  32 bits?).

Peter.