[16713] in cryptography@c2.net mail archive
Re: entropy depletion
daemon@ATHENA.MIT.EDU (Ben Laurie)
Wed Jan 26 19:22:55 2005
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 13 Jan 2005 10:23:17 +0000
From: Ben Laurie <ben@algroup.co.uk>
To: William Allen Simpson <wsimpson@greendragon.com>
Cc: cryptography@metzdowd.com
In-Reply-To: <41E41F98.90909@greendragon.com>
William Allen Simpson wrote:
> Ben Laurie wrote:
>
>> William Allen Simpson wrote:
>>
>>>> Why then restrict it to non-communications usages?
>>>
>>>
>>> Because we are starting from the postulate that observation of the
>>> output could (however remotely) give away information about the
>>> underlying state of the entropy generator(s).
>>
>>
>> Surely observation of /dev/urandom's output also gives away information?
>>
> ummm, no, not by definition.
>
> /dev/random
> blocks on insufficient estimate of stored entropy
> useful for indirect measurement of system characteristics
> (assumes no PRNG)
>
> /dev/urandom
> blocks only when insufficient entropy for initialization of state
> computationally infeasible to determine underlying state
> (assumes robust PRNG)
>
> These are the definitions we've been using around here for many years.
> It does help when everybody is talking about the same things.
Around where? I've never heard of a /dev/random that doesn't include a
PRNG. But I'll admit its entirely possible I just haven't been paying
attention. Can you give examples?
In any case, if the postulate is that observing the output could give
away information about the underlying state, then I cannot see how
/dev/urandom gets around this problem.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
