[cryptography] Applications should be the ones [GishPuppy]

Paul Hoffman paul.hoffman at vpnc.org
Fri Feb 17 10:05:24 EST 2012

On Feb 17, 2012, at 4:55 AM, Jack Lloyd wrote:

> On Thu, Feb 16, 2012 at 09:41:04PM -0600, Nico Williams wrote:
>> developers agree).  I can understand *portable* applications (and
>> libraries) having entropy gathering code on the argument that they may
>> need to run on operating systems that don't have a decent entropy
>> provider.
> Another good reason to do this is resiliance - an application that
> takes some bits from /dev/(u)random if it's there, but also tries
> other approaches to gather entropy, and mixes them into a (secure)
> PRNG, will continue to be safe even if a bug in the /dev/random
> implementation (or side channel in the kernel that leaks pool bits,
> etc) causes the conditional entropy of what it is producing to be
> lower than perfect. I'm sure at some point we'll see a fiasco on the
> order of the Debian OpenSSL problem with /dev/random in a major
> distribution.

Note the "and mixes them into a (secure) PRNG". If the app developer does a bad (typical?) job and mixes them poorly, they can end up with less unpredictable bits than if they had just took the results from /dev/random.

Looked at another way, if an app developer is going to do any processing on /dev/random, they should really look at the result as the app having its own fully-functional PRNG that has input from the OS, not the app making an "improvement" on the OS.

--Paul Hoffman

More information about the cryptography mailing list