[9412] in cryptography@c2.net mail archive
Re: chip-level randomness?
daemon@ATHENA.MIT.EDU (Peter Fairbrother)
Thu Sep 20 00:14:39 2001
Date: Thu, 20 Sep 2001 02:02:28 +0100
From: Peter Fairbrother <peter.fairbrother@ntlworld.com>
To: John Gilmore <gnu@toad.com>,
Pawel Krawczyk <kravietz@aba.krakow.pl>,
Theodore Tso <tytso@MIT.EDU>, Bram Cohen <bram@gawth.com>
Cc: Bram Cohen <bram@gawth.com>, <cryptography@wasabisystems.com>
Message-ID: <B7CEFEB4.D85E%peter.fairbrother@ntlworld.com>
In-Reply-To: <200109192050.NAA03769@toad.com>
Mime-version: 1.0
Content-type: text/plain; charset="US-ASCII"
Content-transfer-encoding: 7bit
Bram,
I need _lots_ of random-looking bits to use as covertraffic, so I'm using
continuous reseeding (of a BBS PRNG) using i810_rng output on i386 platform
as well as other sources (the usual suspects plus CD latency plus an
optional USB feed-through rng device a bit like a dongle). I don't use a rng
on Apple, 'cos it doesn't have one. Others would perhaps not need so many
bits.
I do hash them, but I don't really trust any hash, algorithm, or rng, so I
use all the entropy I can get from anywhere and mix it up. I try to arrange
things so each source is sufficient by itself to provide decent protection.
It might be a better idea to schedule reseeding of the PRNG depending on
usage rather than time for more everyday use. Actually I don't disagree with
you much, except I'd like to see reseeding more often than once a minute.
There is another reason to use a PRNG rather than a real-rng, which is to
deliberately repeat "random" output for debugging, replaying games, etc. Not
very relevant to crypto, except perhaps as part of an attack strategy.
-- Peter
>> On Wed, 19 Sep 2001, Peter Fairbrother wrote:
>
>> Bram Cohen wrote:
>>
>>>> You only have to do it once at startup to get enough entropy in there.
>>
>> If your machine is left on for months or years the seed entropy would become
>> a big target. If your PRNG status is compromised then all future uses of
>> PRNG output are compromised, which means pretty much everything crypto.
>> Other attacks on the PRNG become possible.
>
> Such attacks can be stopped by reseeding once a minute or so, at much less
> computational cost than doing it 'continuously'. I think periodic
> reseedings are worth doing, even though I've never actually heard of an
> attack on the internal state of a PRNG which was launched *after* it had
> been seeded properly once already.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
