Re: Patch: new random pseudodevice

[Alan Barrett <apb%cequrux.com@localhost>]

On Fri, 09 Dec 2011, Thor Lancelot Simon wrote:
> An attacker who can break AES might be able to predict 
> the future output of _one_ instance of the generator.  An 
> attacker who can break AES and recover the key and defeat the 
> backtracking resistance designed into CTR_DRBG *might* be able 
> to recover the prior outputs of the generator for that user. 
> An attacker who can do all these things *and* recover earlier 
> entropy-pool output from later entropy-pool output (that is, do 
> exactly what would have had to be done to break the old design) 
> can recover keys provided by the generator to other users.  If 
> he happens to know when exactly they were produced (time is an 
> input to the algorithm), etc.

Fair enough, but you still seem to be talking about how good a 
CSPRNG it is, whereas my concern is that it's pseudorandom, nor 
random.

How many different bit streams of length 2^31 can be produced by 
a generator that has a 128-bit key?  I think it's 2^128 different 
pseudorandom bit streams of length 2^31.  If they were truly 
random, then there would be 2^(2^31) of them.

I still think it's not appropriate for /dev/random to output 
pseudorandom bits (even cryptographically secure pseudorandom 
bits) when it has historically output random bits (or at least 
attempted to output random bits, modulo bugs, design mistakes, 
etc.).

--apb (Alan Barrett)