tech-security archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Patch: new random pseudodevice

>> And note that at least one highly-thought-of modern design for an
>> entropy collector (Fortuna) doesn't even _try_ to keep an "entropy
>> estimate" -- the whole concept is pretty fuzzy when you start trying
>> to count how many bits you "took out".

> To extend on that: the basic idea is that as long as you started with
> "enough" entropy at some point and feed some form of entropy often
> enough, you have to break the cryptographic primitives pretty much
> completely to predict the output in any way.

Well, sure.  But that's equally true with no mixing at all: feed in
enough unknown ("random") information often enough and you don't have
to mix at all in order to get random information out.  Indeed, mixing
is a danger in that case, because it introduces the possibility of
correlation between past bits and future bits.

> One of the fundamental design assumptions behind Fortuna is that
> there is no correct way to estimate entropy.  People have been pretty
> bad about it whenever they tried.  So remove the need for it.

Unless you have a source of strongly random bits (eg, noise diode) of
higher bandwidth than the drain your consumers impose, there's no way
around it: you can estimate it badly or you can not estimate it at all.
Not estimating it at all amounts to estimating the amount of input
entropy as infinite, which is a worse estimate than almost any other.
"Because we can't do it well" is a really really bad reason to do it as
badly as possible.

/~\ The ASCII                             Mouse
\ / Ribbon Campaign
 X  Against HTML      
/ \ Email!           7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B

Home | Main Index | Thread Index | Old Index