Removing the Linux /dev/random blocking pool

Posted Jan 7, 2020 16:43 UTC (Tue) by Cyberax (✭ supporter ✭, #52523)
In reply to: Removing the Linux /dev/random blocking pool by cesarb
Parent article: Removing the Linux /dev/random blocking pool

That's not exactly how it works.

You can't reconstruct the state of the pool without storing all possible intermediate results. So if you want to reconstruct the pool state after 32 bits of entropy were added, you'd need a lookup table of at least 4Gb in size.

Removing the Linux /dev/random blocking pool

Posted Jan 7, 2020 20:41 UTC (Tue) by nivedita76 (subscriber, #121790) [Link]

That is the point of how state extension attacks work. You may have added 32 bits of entropy, but if you added them 1 bit at a time while the attacker was reading the output of your RNG, you've lost.

https://lwn.net/ml/linux-kernel/20190919143427.GQ6762@mit...