[cryptography] Applications should be the ones [GishPuppy]

Jack Lloyd lloyd at randombit.net
Fri Feb 17 07:55:17 EST 2012

On Thu, Feb 16, 2012 at 09:41:04PM -0600, Nico Williams wrote:

> developers agree).  I can understand *portable* applications (and
> libraries) having entropy gathering code on the argument that they may
> need to run on operating systems that don't have a decent entropy
> provider.

Another good reason to do this is resiliance - an application that
takes some bits from /dev/(u)random if it's there, but also tries
other approaches to gather entropy, and mixes them into a (secure)
PRNG, will continue to be safe even if a bug in the /dev/random
implementation (or side channel in the kernel that leaks pool bits,
etc) causes the conditional entropy of what it is producing to be
lower than perfect. I'm sure at some point we'll see a fiasco on the
order of the Debian OpenSSL problem with /dev/random in a major

Contemplate, if you will, this /dev/random implementation:



More information about the cryptography mailing list