Re: /dev/random is hot garbage

[Joerg Sonnenberger <joerg%bec.de@localhost>]

On Sun, Jul 21, 2019 at 09:13:48PM +0000, Paul.Koning%dell.com@localhost wrote:
> 
> 
> > On Jul 21, 2019, at 5:03 PM, Joerg Sonnenberger <joerg%bec.de@localhost> wrote:
> > 
> > 
> > [EXTERNAL EMAIL] 
> > 
> > On Sun, Jul 21, 2019 at 08:50:30PM +0000, Paul.Koning%dell.com@localhost wrote:
> >> /dev/urandom is equivalent to /dev/random if there is adequate entropy,
> >> but it will also deliver random numbers not suitable for cryptography before that time.
> > 
> > This is somewhat misleading. The problem is that with an unknown entropy
> > state, the system cannot ensure that an attacker couldn't predict the
> > seed used for the /dev/urandom stream. That doesn't mean that the stream
> > itself is bad. It will still pass any statistical test etc.
> 
> That's exactly my point.  If you're interested in a statistically high
> quality pseudo-random bit stream, /dev/urandom is a gread source.  But
> if you need a cryptographically strong random number, then you can't
> safely proceed with an unknown entropy state for the reason you stated,
> which translates into "you must use /dev/random".

That distinction makes no sense at all to me. /dev/urandom is *always* a
cryptographically strong RNG. The only difference here is that without
enough entropy during initialisation of the stream, you can brute force
the entropy state and see if you get a matching output stream based on
that seed.

Joerg