Subject: Re: insufficient entropy for rnd
To: Daniel Carosone <>
From: Greg Troxel <>
List: tech-crypto
Date: 08/22/2003 07:43:45
I would also suggest reading the Yarrow paper:

I haven't gone over this in painful detail, but the arguments about
iterative guessing attacks deserve serious consideration; I think
rnd(4) does not address those at the moment.  The basic issue is that
if an attacker knows the internal pool state, and can observe random
values frequently, they can guess the input bits because they are
small, even if a strong hash is used.  To avoid this, Yarrow mixes
input entropy into a holding area, and periodically reseeds the main
generator, and then uses a counter-mode block cipher to generate
output bits.

rnd(4) seems a bit schizophrenic about whether it trusts things like
hash functions or not.  Producing more PRNG bits than input entropy
can be reasonable if the hash or other cryptographic construction is
sound.  This might be less problematic than the typing-rate attacks or
problems due to running out of entropy.  If SHA-1 and AES are no good,
most users of rnd(4) will be deeply scrod anyway.

        Greg Troxel <>