Holes in the Linux random number generator?
Posted May 26, 2006 11:28 UTC (Fri) by zooko
Parent article: Holes in the Linux random number generator?
"It is clearly better to refuse to give out entropy to people than to give false entropy."
This is not true, or at least is true only in specific and uncommon use cases.
(By the way, the output of /dev/urandom is not "false entropy".)
The overwhelming majority of uses of security-sensitive random numbers occur under many layers of software operated by security-naive users.
In that case, the failure mode from random number acquisition blocking is not "The user realizes that /dev/random has blocked and deals with it." (which is what happens if the user is Alan Cox), but "Timeouts cascade through the system and the user becomes confused.".
This can lead to the kind of security problems which are real, frequent, and widely exploited -- denial of service, social engineering, time-of-check-to-time-of-use gaps, exploitation of failover, exploitation of false alarm, etc. etc.. In contrast, the idea of a cryptanalytic attack which cracks /dev/urandom but not /dev/random is purely hypothetical and may not exist at all.
Alan Cox's stance (as quoted) seems reasonable enough at first, but this is one of those cases where security engineering defies our intuitive belief that being "safer" or "more conservative" is better. (Think of burglar alarms or watch dogs which are too sensitive and give off too many false alarms.)
to post comments)