[5320] in cryptography@c2.net mail archive
Re: linux-ipsec: /dev/random
daemon@ATHENA.MIT.EDU (John Denker)
Tue Aug 3 11:48:59 1999
Date: Mon, 02 Aug 1999 13:35:53 -0400
To: Paul Koning <pkoning@xedia.com>
From: John Denker <jsd@research.att.com>
Cc: cryptography@c2.net, linux-ipsec@clinet.fi
In-Reply-To: <199908021727.NAA12661@tonga.xedia.com>
At 01:27 PM 8/2/99 -0400, Paul Koning wrote:
>
>we weren't talking about "in principle" or "in general".
>Sure, given an unspecified process of unknown (to me) properties I
>cannot make sensible statements about its entropy. That is true but
>it isn't relevant to the discussion.
>
>Instead, we're talking about systems where we have some understanding
>of the properties involved.
>
>For example, to pick a physical process, suppose I had a noise
>generator (resistor), shielding of known properties or at least
>bounded effectiveness, biases ditto, I would say I can then come up
>with a reasonable entropy estimate, especially if I'm quite
>conservative. This is what people typically do if they build
>"hardware random number generators". They certainly need to be
>treated with care and analyzed cautiously, but it definitely is a
>thing that can be done.
I agree with that. Indeed I actually attached a homebrew TRNG to my
server, pretty much as you described.
>Sure, you can do cat /dev/zero | md5sum > /dev/random, but I don't
>believe anyone is proposing that as a way of feeding entropy into it.
That's where we might slightly disagree :-) ... I've seen some pretty
questionable proposals ... but that's not the point.
The point is that there are a lot of customers out there who aren't ready
to run out and acquire the well-designed hardware TRNG that you alluded to.
So we need to think carefully about the gray area between the
strong-but-really-expensive solution and the cheap-but-really-lame
proposals. The gray area is big and important.
Cheers --- jsd
