`harmless extra entropy' [was Re: Lightweight support for instruction RNGs]

To: Paul_Koning%Dell.com@localhost
Subject: `harmless extra entropy' [was Re: Lightweight support for instruction RNGs]
From: Taylor R Campbell <campbell+netbsd-tech-crypto%mumble.net@localhost>
Date: Mon, 21 Dec 2015 05:37:48 +0000

[Trimming unrelated lists for digression.]

   Date: Mon, 21 Dec 2015 02:14:32 +0000
   From: <Paul_Koning%Dell.com@localhost>

   I'm puzzled by some of the comments.  There is never any downside,
   security wise, to stirring more entropy into the RNG.  If the
   entropy source data does not have good properties, then there is no
   benefit, but it can't ever hurt.  For example, stirring 1000 zero
   bytes in is pointless, but also harmless (ignoring the computation
   used to do the stirring).

Not quite so.  See <http://blog.cr.yp.to/20140205-entropy.html> for an
attack that exploits `harmless extra entropy'.  All zeros probably is
harmless, sure -- but one might reasonably choose to disable RDRAND
altogether and rummage in one's trouser pocket for a coin to flip
instead.

One might wonder about the motivation for Linux's original
architecture for RDRAND, which was to xor it directly into the output
of /dev/urandom rather than treat it as a separate entropy source.
Thor isn't doing that, but I'm generally suspicious of treating it
differently from other entropy sources and preventing the operator
from disabling it.

Follow-Ups:
- Re: `harmless extra entropy' [was Re: Lightweight support for instruction RNGs]
  - From: Paul_Koning

References:
- Re: Lightweight support for instruction RNGs
  - From: Paul_Koning

Prev by Date: Re: Lightweight support for instruction RNGs
Next by Date: Re: `harmless extra entropy' [was Re: Lightweight support for instruction RNGs]
Previous by Thread: Re: Lightweight support for instruction RNGs
Next by Thread: Re: `harmless extra entropy' [was Re: Lightweight support for instruction RNGs]
Indexes:

Home | Main Index | Thread Index | Old Index