Re: Analysis of /dev/random

Ge' Weijers (ge@Progressive-Systems.Com)
Mon, 12 Apr 1999 11:33:47 -0400

• Next message: David Honig: "/dev/random's entropy_count estimate considered too generous"
• Previous message: Ge' Weijers: "Re: Analysis of /dev/random"
• In reply to: David Honig: "Re: Analysis of /dev/random"
• Next in thread: mgraffam@idsi.net: "Re: Analysis of /dev/random"

On Mon, Apr 12, 1999 at 11:06:18AM -0400, Adam Shostack wrote:
> Why is that? /dev/urandom should give you the best random
> output on the machine. If you're going to write more code, why not
> spend the time to make that code available as part of the system
> library?

The idea is to limit the effect of tampering with the
kernel. /dev/urandom is the best source of randomness assuming it's
working correctly. Assuming it doesn't, what can be done to limit the
bad effects? One way would be to use multiple sources of entropy. If
we put this code in a standard library it's easily replaced again, so
I would not go that route.

Other approaches may also be valid. As an example: in "Computational
Alternatives to Random Number Generators" (M'Raihi et. al.,
Proceedings of Selected Areas in Cryptography '98) it's shown that you
can convert (most if not all) PK signature schemes that need random
numbers into ones that don't. It's trivial to modify this approach to
one that will be secure whether /dev/random's output is random or not.

Ge'

-- 
-
Ge' Weijers                                Voice: (614)326 4600
Progressive Systems, Inc.                    FAX: (614)326 4601
2000 West Henderson Rd. Suite 400, Columbus OH 43220

• Next message: David Honig: "/dev/random's entropy_count estimate considered too generous"
• Previous message: Ge' Weijers: "Re: Analysis of /dev/random"
• In reply to: David Honig: "Re: Analysis of /dev/random"
• Next in thread: mgraffam@idsi.net: "Re: Analysis of /dev/random"