[9458] in cryptography@c2.net mail archive
Re: chip-level randomness?
daemon@ATHENA.MIT.EDU (Ben Laurie)
Mon Sep 24 09:23:00 2001
Message-ID: <3BAF053E.6EB5D184@algroup.co.uk>
Date: Mon, 24 Sep 2001 11:04:46 +0100
From: Ben Laurie <ben@algroup.co.uk>
MIME-Version: 1.0
To: Bram Cohen <bram@gawth.com>
Cc: Peter Fairbrother <peter.fairbrother@ntlworld.com>,
Pawel Krawczyk <kravietz@aba.krakow.pl>,
cryptography@wasabisystems.com
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Bram Cohen wrote:
>
> On Wed, 19 Sep 2001, Peter Fairbrother wrote:
>
> > Bram Cohen wrote:
> >
> > > You only have to do it once at startup to get enough entropy in there.
> >
> > If your machine is left on for months or years the seed entropy would become
> > a big target. If your PRNG status is compromised then all future uses of
> > PRNG output are compromised, which means pretty much everything crypto.
> > Other attacks on the PRNG become possible.
>
> Such attacks can be stopped by reseeding once a minute or so, at much less
> computational cost than doing it 'continuously'. I think periodic
> reseedings are worth doing, even though I've never actually heard of an
> attack on the internal state of a PRNG which was launched *after* it had
> been seeded properly once already.
There was a bug in OpenSSL's PRNG (and BSAFEs) which permitted recovery
of the internal state from a largish number of small outputs. It has
been fixed, of course.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"There is no limit to what a man can do or how far he can go if he
doesn't mind who gets the credit." - Robert Woodruff
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@wasabisystems.com
