tech-kern archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Increasing entropy



On Jun 8, 2012, at 4:38 PM, David Laight wrote:

> On Fri, Jun 08, 2012 at 06:31:54PM +0000, Paul_Koning%Dell.com@localhost 
> wrote:
>> 
>> From what I remember from reading Schneier's discussion of this topic
>> (in the description of the PRNG he designed), the notion of "draining"
>> entropy does not make cryptographic sense.
>> Instead, what you have in a PRNG is a secure bitstring extender,
>> which is seeded with a sufficiently unpredictable bitstring.
>> Yes, it's good to add entropy into the mix when you have some,
>> but the security property you're looking for is that, knowing large
>> amounts of output from /dev/random, you have no practical way to predict
>> any of the bits preceding what you know, nor any of the bits following
>> what you know.
>> And that will be true if the extender is cryptographically secure,
>> and the seed has enough entropy that brute force search of the seed
>> space is impractical.
> 
> I thought tls had been working on those lines?
> 
> I've wondered why something like the following wouldn't work.
> 1) Use the RC4 PRNG as an entropy store, whenever you have anything
>   that might be random feed it in using the 'keying' algorythm.
> 2) When you want some random data, cycle some bytes out of the RC4
>   entropy store and then MD5 hash them. Give the users the MD5 output.
> 
> Might be worth cycling the RC4 prng a few times before and after taking
> data out of it.
> You can't use RC4 itself - the data output is recognisable as RC4 data,
> but an MD5 (or other) hash should correct that.
> 
> At system startup you may need to keep track of the amount of
> randomness, but once you have added enough 'randomness', it doesn't go away.

Right, that's the key point.

Wikipedia has some stuff: 
http://en.wikipedia.org/wiki/Cryptographically_secure_pseudorandom_number_generator
 and http://en.wikipedia.org/wiki/Fortuna_(PRNG) .

The TLS approach sounds like a plausible answer.  I'm not sure that doing the 
RC4 keying at any time other than startup has had any real analysis.  Apart 
from that, it fits the general model of a strong stream generator (RC4 
certainly appears to be such a thing) keyed by entropy.  The one thing I would 
do for any of these is to stay away from MD5.

Also, rather than make things up myself, I'd apply the work of people who are 
actual cryptographers.  There's been a bunch of work in this area (see the 
first Wikipedia article I mentioned) including a review paper that discusses 
weaknesses in a number of the well known PRNGs.  For example, the FIPS one 
apparently fails every contemporary test of quality...

        paul




Home | Main Index | Thread Index | Old Index