[5154] in cryptography@c2.net mail archive
Re: depleting the random number generator
daemon@ATHENA.MIT.EDU (Marc Horowitz)
Mon Jul 19 22:59:52 1999
From: Marc Horowitz <marc@mit.edu>
To: Sandy Harris <sandy.harris@sympatico.ca>
Cc: cryptography <cryptography@c2.net>
Date: 19 Jul 1999 19:31:51 -0400
In-Reply-To: Sandy Harris's message of "Mon, 19 Jul 1999 17:02:22 +0000"
Sandy Harris <sandy.harris@sympatico.ca> writes:
>> /dev/random uses SHA or MD5, so a complete break appears highly unlikely.
>> But a special-case break, say in circumstances where the input entropy is
>> temporarily exhausted so the attacker gets a look at N successive results
>> where the pool does not change, the only difference is the intial value
>> of the hash's internal variables? I don't think that's likely either,
>> but I've much less confidence that it is impossible.
>>
>> If you want the thing to stand when the output hash breaks, you need
>> enough input entropy and a good mixing function.
I think people in this thread are confusing pragmatic reality with
theoretical security. It would be great if every random bit I needed
came from an overbiased zener diode. But for most uses of encryption,
the output of a decent PRNG which hasn't been reseeded in a while is
just fine.
In every real-world situation I've seen, cryptographic systems which
failed did so because of something other than the crypto failing.
I'm not saying we don't need good output hashes and mixing functions,
but the likelyhood of SHA-1 turning into ROT-13 tomorrow certainly
isn't keeping me up at night.
Marc
