LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Pencil, Pencil, and Pencil

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Appropriate sources of entropy

Appropriate sources of entropy

Posted May 24, 2008 6:50 UTC (Sat) by ikm (subscriber, #493)
In reply to: Appropriate sources of entropy by bronson
Parent article: Appropriate sources of entropy 

This is not like the Debian's situation. If dubious randomness isn't accounted for as incoming
entropy bits, /dev/random would block the same way as it would be blocking without any dubious
randomness at all. As for /dev/urandom, without any external randomness /dev/urandom would be
looping inside sha1 feedback, acting as a pure PRNG. Any kind of external randomness injected
into that loop would only make its randomness better, it can't possible make it worse (due to
crypto properties of sha1 you can't forge any correlation here). Point is, when good
randomness dries up, what you're getting from /dev/urandom is a PRNG output. Any dubious
randomness mixed in could only improve this situation. So, to answer your question, you really
won't notice in both cases, but your randomness would be a bit better if you mix in some
dubious stuff there as well. In the latter case, your chances of using dubious randomness
(pure PRNG) are actually smaller.

(Log in to post comments)

Appropriate sources of entropy

Posted May 24, 2008 8:10 UTC (Sat) by bronson (subscriber, #4806) [Link] 

My point is, either you care about the strength of your random numbers or you don't.

If you care, you're using /dev/random and you only mix in strong entropy.  Mixing in weak
entropy seems harmless but will mask problems that would otherwise be obvious.  The Debian
situation.

If you don't care, then you're happy with a strong, well-seeded PRNG and there's no need to
mix in dubious random data.

Is there a middle ground?  I don't see one.

Appropriate sources of entropy

Posted May 24, 2008 18:47 UTC (Sat) by ikm (subscriber, #493) [Link] 

Any cryptographic PRNG needs to be reseeded once in a while, and some dubious data will do
just fine for that, given that it is mixed in in a cryptographically secure way. A box with
only a network connection is a good example of that -- it does not have much real entropy
coming in. You say that in absence of any trusted entropy a crypto PRNG is never to be
reseeded. I would disagree. One of the problem is what would happen if a seed file, which
stores state across reboots, is compromised. Another acoounts for any sort of weaknesses found
in a PRNG itself. If you need more details, see Schneier's Yarrow design paper, I could only
agree with what he had to say. The point is, sticking to the one initial seeding forever is a
bad idea.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds