[145745] in cryptography@c2.net mail archive
Re: questions about RNGs and FIPS 140
daemon@ATHENA.MIT.EDU (travis+ml-cryptography@subspacefie)
Thu Aug 26 12:05:02 2010
Date: Thu, 26 Aug 2010 08:14:26 -0700
From: travis+ml-cryptography@subspacefield.org
To: cryptography@metzdowd.com
Mail-Followup-To: cryptography@metzdowd.com
In-Reply-To: <D5EF5B10-B0F4-4FE8-826B-D64E497BDA09@lrw.com>
--huq684BweRXVnRxX
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Thu, Aug 26, 2010 at 06:25:55AM -0400, Jerry Leichter wrote:
> [F]IPS doesn't tell you how to *seed* your deterministic generator. In =
=20
> effect, a FIPS-compliant generator has the property that if you start it=
=20
> with an unpredictable seed, it will produce unpredictable values. =20
That brings up an interesting question... if you have a source of
unpredictable values in the first place, why use a CSPRNG? ;-)
Actually, I know I'm being snarky; I'm aware that they're handy for
"stretching" your random bits, if you don't have enough for the task.
I suppose some people feel they're also handy for whitening them, so
that if they're not entirely random, the structure isn't completely
obvious from the output alone, but I think that's probably a separate
property that needs to be evaluated independent of the others.
Last I checked Linux /dev/{u,}random uses SHA-1 hash over the pool,
which suggests they had this in mind. However, it also makes using it
very slow for wiping disks or any other high-bandwidth tasks, at least
when compared to something like Yarrow.
I heard from a colleague that /dev/urandom exists on Android, but
/dev/random does not. Our best guess is that it's the same as the
standard Linux /dev/urandom, but we're not really sure. Presumably
they dumped /dev/random because there just weren't enough sources of
unpredicability on that platform. I'd like to hear from anyone who
knows details.
Also, please do check out the links about RNGs on the aformentioned
page. Seth Hardy's /dev/erandom looks very interesting, and has
languished in relative obscurity for nearly a decade.
I'll take the rest of my comments to this list:
http://lists.bitrot.info/mailman/listinfo/rng
--=20
It asked me for my race, so I wrote in "human". -- The Beastie Boys
My emails do not have attachments; it's a digital signature that your mail
program doesn't understand. | http://www.subspacefield.org/~travis/=20
If you are a spammer, please email john@subspacefield.org to get blackliste=
d.
--huq684BweRXVnRxX
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (OpenBSD)
iQIcBAEBAgAGBQJMdoTRAAoJEGQVZZEDJt9HmOUP/RRBuFVcnwUw9n9LM6Jahh5U
nlZu3DHoB3MmdNlbQ+KBC7IQq8FAE2F/O2erwfIgNm7ej3PmlBEelK1fItbLRiXh
G8icYA+v5nG5fj2f1SkbBB/HwMubkhNbbEywdc29/A+OKa3aTH3rFLvKTBfq8ADK
O6DZ+F/YRrkF6MAwrTkk+Zy5NPTgom/dKm5qRErJ2MzTV5M7iDiyYub14nYX7pzm
Yff9Q6YkPMSuh8QWQr2TgA/6mWQ8vphWwjrKnLkNv9BaNHEaJ/GGP+rB0CdfMHcl
qFuX9vZRChkXrPyHPgOnZnV2IrWjfb2LdGk35VJnd+PrpA134g0L6GQWVbwI0/4Z
6tk9rY88sr9hlh1/5+depw03mh1Wz6C0UnKMbXsXu9quaK8yNo4sQhBG+atk9mPG
VoYH58hXzSOOJcqqnlJmdl24De0M9EQ+N7itjD2h6UzT4o2DlUjkzYT/piwKyt0C
cchd/ZpRVIZjkApffLOhDOstM3yLmcECX3LtkBE76HjKNR7RE5MzRjJC2vR6rQ26
sCp92KToM3quKC6hKh6Z1hkinoYXpwHqAK88ee3hVjNGETYvYI1bGDLXeWA0qUx8
GbaAiH0AJ3ZTcV3tyEDw5tAQgjIbbRMYjKr4z3S+YO4dRbMavufaVFubON6fV+z2
lbDodKeeLOlBdo6Jo1CJ
=wAnG
-----END PGP SIGNATURE-----
--huq684BweRXVnRxX--
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
