Re: RND_TYPE_RNG question concerning rate of random bits production

[Thor Lancelot Simon <tls%panix.com@localhost>]

On Sat, Jan 18, 2014 at 01:10:19PM -0500, Perry E. Metzger wrote:
> On Wed, 15 Jan 2014 20:28:17 -0500 Thor Lancelot Simon
> > 
> > You can arrange to be polled for entropy when it's needed.  Have a
> > look at the hifn, amdpm, or bcm2835 RNG drivers.
> 
> Note that there has been recent work on formal analysis of CPRNGs
> like the ones used by various Unix kernels. They tend to indicate
> that proper entropy estimation is not as important as rendering the
> generator robust against bad entropy estimates. See, for example:
> 
> http://www.cs.nyu.edu/~dodis/ps/rng.pdf

The NetBSD RNG machinery goes to considerable effort to do what it
recommended by that and other related papers, and in some cases more.

As for everyone else, the real problem is acquiring initial entropy at
boot -- and knowing that you've acquired it.

What I probably should have said above was "You can arrange to be polled
for entropy at least as often as it's needed".  I think that's a fair
statement given the way the code and underlying cryptographic machinery
actually works.

Thor