[5139] in cryptography@c2.net mail archive
Re: depleting the random number generator
daemon@ATHENA.MIT.EDU (bram)
Mon Jul 19 02:20:11 1999
Date: Sun, 18 Jul 1999 17:08:49 -0700 (PDT)
From: bram <bram@gawth.com>
To: cryptography@c2.net
In-Reply-To: <3.0.5.32.19990718123056.00800490@idiom.com>
On Sun, 18 Jul 1999, Bill Stewart wrote:
> /dev/urandom will give you pseudo-random bits if it's run out of entropy,
> so you've got the security risks inherent in that.
> As David Honig points out, you can't avoid those alternatives,
Yes you can, if there's a 'pool' of entropy in memory which contains a
cryptographycally large number of bits and it's both mixed and extracted
from in a cryptographically secure way then the need for constant
reseeding is eliminated, although it's still helpful. The paper on Yarrow
explains the threat model pretty well -
http://www.counterpane.com/yarrow.html
> so if you need the high quality randomness, you need hardware randomizers.
Those are helpful as well, but should still never be used in the raw -
their entropy output should be estimated conservatively and fed into a
reseedable PRNG.
-Bram
