Replacing /dev/urandom

Posted May 16, 2016 11:56 UTC (Mon) by Otus (subscriber, #67685)
Parent article: Replacing /dev/urandom

> When the system is booting, the new RNG will credit each interrupt's timing data with one bit of entropy, as does Stephan's RNG. Once the RNG is initialized with sufficient entropy, though, the RNG switches to the current system, which accounts far less entropy for each interrupt.

Is there any evidence for the amounts credited?

My immediate impression is to expect interrupts during boot to be *less* random rather than more,

Replacing /dev/urandom

Posted May 16, 2016 12:22 UTC (Mon) by tao (subscriber, #17563) [Link] (2 responses)

Most likely, yes. But the system is likely to be more (unless it has a Hardware-RNG) entropy-starved on boot than during normal operation.

Replacing /dev/urandom

Posted May 16, 2016 13:13 UTC (Mon) by paulj (subscriber, #341) [Link] (1 responses)

But boot is also when the system is more likely to generate keys automatically than any other time, no, where low-quality entropy being used to seed CPRNGs could have long-term security-impacting bad effects?

Replacing /dev/urandom

Posted May 17, 2016 4:38 UTC (Tue) by Otus (subscriber, #67685) [Link]

Exactly.

If 1 bit / interrupt is a good enough estimate for boot-time entropy, it ought to be good enough for later.
If it is not, then we should not pretend to have enough entropy when we do not.