Re: Waiting for Randot (or: nia and maya were right and I was wrong)

[nia <nia%NetBSD.org@localhost>]

On Thu, Jan 14, 2021 at 09:43:44PM +0000, RVP wrote:
> Is this OK (or, it is hopelessly insecure)?:

If you have the same secure randomness as everyone else you don't have
secure randomness.

If you do have unique secure randomness, you only need 256 bits of it
to continue generating it forever.

> The other alternative is the user mashing the keyboard and moving a mouse
> for a few minutes.

This is the very old way of doing things and is considered Not Good by
current day standards, it's already been ruled out multiple times, and
should not be necessary except in the most hopeless of hopeless cases.

I'm extremely uninterested in anything that requires user intervention
except in uncommon cases (obscure hardware) and where it is already
obvious they have to intervene.

Also, this paper describes how the Linux kernel's attempts to evaluate
the entropy value of input sources can be manipulated, which provides
further context for the motivation behind the original changes last year:

https://eprint.iacr.org/2013/338.pdf

If you have input, you have to know its value for secure randomness
beforehand. Certain HWRNGs are documented and we know roughly the
value of their output beforehand. Certain environmental sensors are
fundamentally subject to extremely difficult to predict physical
processes, like turbulence and electromagnetic noise.