[9405] in cryptography@c2.net mail archive
Re: chip-level randomness?
daemon@ATHENA.MIT.EDU (Bram Cohen)
Thu Sep 20 00:04:43 2001
Date: Wed, 19 Sep 2001 15:28:48 -0700 (PDT)
From: Bram Cohen <bram@gawth.com>
To: John Gilmore <gnu@toad.com>
Cc: Pawel Krawczyk <kravietz@aba.krakow.pl>,
cryptography@wasabisystems.com, tytso@mit.edu
In-Reply-To: <200109192050.NAA03769@toad.com>
Message-ID: <Pine.LNX.4.21.0109191523200.19149-100000@ultra.gawth.com>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 19 Sep 2001, John Gilmore wrote:
> Also, the PRNG in /dev/random and /dev/urandom may someday be broken
> by analytical techniques. The more diverse sources of true or
> apparent randomness that we can feed into it, the less likely it is
> that a successful theoretical attack on the PRNG will be practically
> successful. If even a single entropy source of sufficiently high
> speed is feeding it, even a compromised PRNG may well be unbreakable.
The only part of the /dev/random PRNG which there's reason to worry about
any more than the rest of your cryptographic protocol is possible
manipulation attacks done by someone who can feed bogus inputs into it.
I've never heard of this being pulled off in practice, and the design of
/dev/random may not even be open to them - it hasn't been analyzed
carefully for them.
That said, I think it would make sense to change the internal design of
/dev/random, mostly to make it based on rijndael insteada of sha1, just
for performance reasons.
-Bram Cohen
"Markets can remain irrational longer than you can remain solvent"
-- John Maynard Keynes
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
