Re: new /dev/random

From: Patrick J. LoPresti (patl_at_users.sourceforge.net)
Date: 10/08/04

  • Next message: Roger Schlafly: "Re: Quantum Computers breaking ciphers" 
    Date: 08 Oct 2004 11:48:31 -0400
To: "Bill Unruh" <unruh@physics.ubc.ca>

    Bill Unruh <unruh@physics.ubc.ca> writes:

    > Could you please summarize why you believe that /dev/urandom is not
    > it. Many have made that statement, and I have not seen any argument
    > to support it. Cooke said he read the source and he did not like
    > it-- it was messy-- and liked Fortuna better. His particular likes
    > are irrelevant.
    >
    > Why is /dev/urandom not a proper cryptographically secure random
    > number generator?

    The seeding problem is serious. Even if it can be avoided in
    userspace (can it? how?), the kernel-provided driver really ought to
    provide secure output by default. It is not like this is hard to
    implement; FreeBSD already does it, apparently.

    I have not examined the /dev/urandom source, so these next comments
    are based on hearsay. The best approach for /dev/urandom would be to
    pick a well-known and well-analyzed RNG from the literature, and make
    your implementation match that literature as closely as possible.
    Such RNGs typically combine well-known primitives in easily analyzed
    ways, and have associated proofs that the quality of the generator is
    implied by the strength of the primitives.

    For example, if I were designing /dev/urandom, I would probably use
    AES in CTR mode. I do not keep up with the state of the art in random
    number generation, so I would go with what I know.

    Now, from what I have heard, /dev/urandom does not consist merely of
    well-known primitives composed in a provably good way. In my world,
    that is a design flaw.

     - Pat

    P.S. I am not necessarily advocating Fortuna, by the way. It does
    have that "automatic recovery from state compromise" property, but it
    introduces a lot of complexity to get it. And I have trouble
    envisioning a likely attack which could compromise the RNG state
    without compromising the entire system...

  • Next message: Roger Schlafly: "Re: Quantum Computers breaking ciphers"

    Relevant Pages

    • Re: Agduria dungeon generation
      ... stage of the algorithm and rise appropriate error, ... A NTAE generator doesn't have to have any ... NTAE will happily accept all valid inputs and RNG states and produce ...
      (rec.games.roguelike.development)
    • Re: RND contest
      ... what it takes to test a random number generator than you do. ... If the sequence of numbers the RNG produces contains an odd number ... The rectangle test doesn't show how many hits each pixel in the ... no collisions in your hash function too (and that was easy enough to ...
      (alt.lang.asm)
    • Re: random numbers function
      ... Since 5 and 7 have no common divider, you need to call the RNG 7 times, ... distribution the RNG provides for 5 random numbers). ... Calling the random number generator fewer times in certain ...
      (comp.programming)
    • Re: Non-random numbers generated by excels data analysis random gener
      ... > unlikely circumstance with a true RN generator. ... First, because you are seeding the RNG, it is not ... range of numbers generated, but also the apparent ... such guidance in the Help text. ...
      (microsoft.public.excel.worksheet.functions)
    • Re: Forward secrecy from two RNGs
      ... >> compromise of Carol's data didn't depend on a single point of failure, ... >> Sue's RNG both being compromised doesn't really worry me, ... both of Sue's long-term private key or Sue's RNG is ...
      (sci.crypt)