[cryptography] Applications should be the ones [GishPuppy]

Jon Callas jon at callas.org
Fri Feb 17 14:33:15 EST 2012


On Feb 17, 2012, at 4:55 AM, Jack Lloyd wrote:

> On Thu, Feb 16, 2012 at 09:41:04PM -0600, Nico Williams wrote:
> 
>> developers agree).  I can understand *portable* applications (and
>> libraries) having entropy gathering code on the argument that they may
>> need to run on operating systems that don't have a decent entropy
>> provider.
> 
> Another good reason to do this is resiliance - an application that
> takes some bits from /dev/(u)random if it's there, but also tries
> other approaches to gather entropy, and mixes them into a (secure)
> PRNG, will continue to be safe even if a bug in the /dev/random
> implementation (or side channel in the kernel that leaks pool bits,
> etc) causes the conditional entropy of what it is producing to be
> lower than perfect. I'm sure at some point we'll see a fiasco on the
> order of the Debian OpenSSL problem with /dev/random in a major
> distribution.

Really?

Let's suppose I've completely compromised your /dev/random and I know the bits coming out. If you pull bits out of it and put them into any PRNG, how is that not just Bits' = F(Bits) ? Unless F is a secret function, I just compute Bits' myself. If F is a secret function than the security is exactly the secrecy of F.

	Jon




More information about the cryptography mailing list