[Cryptography] OpenSSL and random
Natanael
natanael.l at gmail.com
Mon Nov 28 08:55:09 EST 2016
Den 28 nov 2016 14:34 skrev "Salz, Rich" <rsalz at akamai.com>:
>
> Ian: Use /dev/urandom
>
> Bill: Use /dev/random
>
>
>
> So I have a new basic theory about randomness: ask N crypto folks and get
at least N+1 opinions.
>
>
>
> I look forward to the day when the community can come to consensus.
Until then, OpenSSL will proceed as best as it can and get slammed for it
at some point.
Me: use both :)
This was actually mentioned previously in another thread by somebody else,
and I like the idea;
At boot, you create /dev/random normally and map /dev/urandom to it such
that both work the same - until enough entropy is estimated to have been
gathered, they both block and you can't get random numbers.
Once the entropy pool is assumed to be filled, you create/restore the
standard /dev/urandom and now remap /dev/random to point to the (regular)
/dev/urandom. Now none of them blocks, and they work the same.
After all you just want to block until you have enough entropy, and then
never block again (for as long as the pool remains uncompromised), given
that we already trust all these symmetric ciphers with the random numbers
coming out of the CSPRNGs. Because why trust them with terabytes of data,
but yet not trust that the CSPRNG works using the same class of symmetric
algorithms based on similar sized entropy pools?
The real difficulty on the software side is entropy estimation. Everything
else is mostly normal engineering. Once you know you have enough secret
entropy in your pool, deriving unpredictable outputs from it is a solved
problem.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20161128/40752cbd/attachment.html>
More information about the cryptography
mailing list