[8080] in cryptography@c2.net mail archive
Re: Lots of random numbers
daemon@ATHENA.MIT.EDU (Bill Sommerfeld)
Sat Nov 18 14:24:19 2000
To: Paul Crowley <paul@cluefactory.org.uk>
Cc: Don Davis <dtd@world.std.com>, Rich Salz <rsalz@caveosystems.com>,
cryptography@c2.net
In-Reply-To: Message from Paul Crowley <paul@cluefactory.org.uk>
of "17 Nov 2000 15:36:05 GMT." <87k8a2sja2.fsf@hedonism.subnet.hedonism.cluefactory.org.uk>
Reply-To: sommerfeld@orchard.arlington.ma.us
Date: Fri, 17 Nov 2000 11:37:23 -0500
From: Bill Sommerfeld <sommerfeld@orchard.arlington.ma.us>
Message-Id: <20001117163728.96C932A39@orchard.arlington.ma.us>
> Don Davis <dtd@world.std.com> writes:
> > perhaps surprisingly, i disagree with the other
> > respondents. as long as you encrypt or MAC the
> > incoming packets (& their interarrival times),
> > with a closely-guarded secret key, before you
> > stuff the bits into your entropy pool, then you
> > should do fine.
>
> Eh? You should *never* need to encrypt information before shoving
> it in the pool. If you've got a secret you could use for such
> encryption, shove it in the pool and then forget about it - it will do
> precisely as much good.
I'm inclined to agree with Don here, from principles of conservative
cryptographic engineering. By using a keyed one-way function before
adding data to the pool, you add an additional layer of defense
against an attacker guessing the pool contents.
[The /dev/random designs i've played with typically have a "pre" pool
for efficient accumulation of samples at interrupt level or similar
inconvenient times, and a "real" pool, with the encryption/one way
hash occurring when the samples are added to the real pool.]
- Bill
