[Cryptography] Is Ron right on randomness
Ron Garret
ron at flownet.com
Wed Nov 23 22:26:57 EST 2016
On Nov 23, 2016, at 2:15 PM, Carl Ellison <cme at acm.org> wrote:
> On Nov 23, 2016, at 09:55, Salz, Rich <rsalz at akamai.com> wrote:
>
>>> Everything that matters about randomness can be summarized in four bullet points:
>>>
>>> 1. You need two things: an entropy source, and a whitener. No entropy
>>> source is perfect, so you need a whitener no matter what. You don't have to
>>> do anything fancy in your whitener. Any cryptographically secure hash
>>> function (like SHA512) will do.
>>>
>>> 2. Since you need a whitener no matter what, it doesn't really matter how
>>> good your entropy source is, except insofar as it might take a long time to
>>> collect enough entropy from a very poor source. All that matters is that you
>>> have an accurate lower bound for how much entropy your source actually
>>> provides, and this is the case no matter how good (or bad) your source
>>> actually is. As long as you feed >N bits of entropy into your whitener, you can
>>> safely extract N bits of true randomness out of it.
>>>
>>> 3. You don't need more than a few hundred bits of randomness. 128 bits is
>>> enough, 256 is a comfortable margin, 512 is serious overkill. Seed a
>>> cryptographically secure PRNG with a few hundred bits of entropy and you
>>> can safely extract gigabytes of key material out of it.
>>
>> (I omitted #4)
>>
>> Is the above accurate? Is it a reasonable design point to use for OpenSSL's next CSPRNG?
>
> Point 2 is misleading. Discovering how many bits of entropy you get in every M bits of source takes lots of work and the steps don't tell how to do that.
That’s true, but it’s a straw man. I very deliberately did *not* say that you need an accurate estimate of how many bits of entropy you get in every M bits of source. What you need is an accurate *lower bound* on this quantity. You can make that lower bound as conservative as you want.
As to “how do you do it”, that is ultimately a judgement call that you have to make based on your risk posture and the totality of the circumstances. But my baseline recommendation if you want to be exceptionally paranoid is to make an audio recording of some white-ish noise (e.g. record yourself saying “Shhh”) and then extract 1% or 0.1% of the result. Of course, you have to do this in a secure environment. An attacker is vastly more likely to compromise you by obtaining a copy of this recording than because it didn’t contain enough entropy.
rg
More information about the cryptography
mailing list