Re: strengthening /dev/urandom

From: Bill Unruh (unruh_at_string.physics.ubc.ca)
Date: 08/27/04

Next message: Bill Unruh: "Re: strengthening /dev/urandom"
Previous message: Donald Hines: "Re: weakest link"
In reply to: Mok-Kong Shen: "Re: strengthening /dev/urandom"
Next in thread: Paul Rubin: "Re: strengthening /dev/urandom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: 27 Aug 2004 15:48:59 GMT

Mok-Kong Shen <mok-kong.shen@t-online.de> writes:

]>
]> Real as state-compromise attacks clearly are, I have to agree
]> that Shen's issues deserve to be ignored. I cannot fathom how
]> anyone who takes the subject the slightest bit seriously could
]> fail to come up with a more realistic state compromise than
]> "the opponent being able to control one's mouse".

]In the attachment I reproduce some paragraphs of what David
]Wagner wrote. To be fair, it should be mentioned that he

The questioon is whether in a hardware based random number generator, one
should consider it as a flaw that the output depends on the input from the
hardware. Should, or can, the out of the RNG be made independent of the
input from the hardware? Wagner's comment is that the Linux RNG accepts
input from hardware (four sources) and that if one were comprimised it
would be bad at present, and suggests that it would be better if the output
of the RNG were strong even if that one source werer comprimised.

Put this way, I thing the question is a bit silly. Of course a hardware
based RNG depends on the hardware and if the hardware is comprimised so is
the RNG. But it is hard to see how this is problem without any realistic
model of how the hardware could be comprimised.

]himself did concede that the mouse example is not realistic
]but he continued to stress that there are many other
]conceivable attacks. The latter is true in sofar as one

Are there? None have been displayed.

]considers 'all' possibile scenarios, in particular the
]case where one were the person that is currently most
]wanted by the US government. (I think that any use of e.g.

IF the hardware is comprimised, then it would seem far far far more
probable that the software is comprimised.

Next message: Bill Unruh: "Re: strengthening /dev/urandom"
Previous message: Donald Hines: "Re: weakest link"
In reply to: Mok-Kong Shen: "Re: strengthening /dev/urandom"
Next in thread: Paul Rubin: "Re: strengthening /dev/urandom"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: /dev/random is probably not
... Why anyone is using the old entropy based RNG at all on modern commodity ... It is good if you know that your hardware operates in a manner which ... Via - on CPU crypto quality RNG. ...
(Bugtraq)
Re: [PATCH] hw_random: add quality categories
... RNG because it is not a hardware random number generator at all! ... it does not deserve to be called a real HWRNG. ... I do not believe there exist devices that deserve to be classified as ...
(Linux-Kernel)
Re: entropy gathering (was Re: Why does reading from /dev/urandom deplete entropy so much?)
... Speaking as the maintainer rng-tools, which is the home of the hardware ... RNG entropy gathering daemon... ...
(Linux-Kernel)
Re: Arduino HWRNG
... cryptographic RNG seeded? ... Isn't that a valid use for a TRNG? ... Appropriately applied to a RNG a hardware TRNG provides both forward and backwards security. ... The same argument applies to the smart card RND in addition to the ...
(sci.crypt)