Re: new /dev/random

From: Paul Rubin (//phr.cx_at_NOSPAM.invalid)
Date: 10/07/04


Date: 07 Oct 2004 12:06:57 -0700

Ernst Lippe <ernstl-at-planet-dot-nl@ignore.this> writes:
> In theory this secret IV is an interesting idea, but I don't think
> that it will help much. Most Linux boxes don't have their own
> self-compiled kernel, but use some common distribution (either a
> standard commercial one or some in-house version). When a large user
> group has the same IV there is no real advantage, because the
> machines within this group will still show identical behaviour.
> Giving each computer its own version of the random binary makes life
> difficult for the system administrator (in other words they won't
> support it).

I'm imagining something like a server farm or supercomputer cluster
where there may by lots of machines but with centralized
administration. It's fine if they all have the same static IV that's
accessible to legitimate users, as long as the IV is kept secret from
internet attackers. Don't forget, too, that once the system has been
running for a while, there will be enough real entropy in it that
any insecurity from the IV leaking will have gone away.

In the case of an individual user running a precompiled distro on
their desktop, the installation script can put a second IV into the
bootup command, as described elsewhere.

> Your other suggestion to hunt around the system for every possible
> little bit of entropy seems very sound, it's just that I don't see
> any advantage in a secret IV.

With a secret IV, you don't have to hunt around for every possible
little bit of entropy; you just need enough to get a unique nonce.
For example, using the time-of-day plus the MAC address should yield a
unique nonce.



Relevant Pages

  • Re: new /dev/random
    ... ]>> script prompts you to type a secret string). ... ]> and hard-code it into the kernel. ... ]The kernel and thus this randomness might be accessible to adversaries ... /dev/urandom without making sure that it has sufficient entropy to start ...
    (sci.crypt)
  • Re: new /dev/random
    ... but use some common distribution (either a standard commercial ... as long as the IV is kept secret from internet attackers. ... > be enough real entropy in it that any insecurity from the IV leaking will ... distribute different binary versions of the kernel. ...
    (sci.crypt)
  • Re: Collecting true randomness from natural language texts
    ... a perfectly acceptable source of entropy for a simulation, ... secure random bits. ... With the first method I mentioned, ... content of the polyalphabetical substitution matrix is one's secret. ...
    (sci.crypt)
  • Re: strengthening /dev/urandom
    ... >>you've got 128 bits of entropy in your pool it doesn't matter whether ... Say K is a 128-bit secret. ... This works great as long as AES is secure as a PRF and K is kept secret. ...
    (sci.crypt)