[cryptography] Duplicate primes in lots of RSA moduli

Marsh Ray marsh at extendedsubset.com
Fri Feb 17 16:05:16 EST 2012

On 02/17/2012 02:51 PM, Jon Callas wrote:
> On Feb 17, 2012, at 12:41 PM, Nico Williams wrote:
>> I'd like for /dev/urandom to block, but only early in boot.  Once
>> enough entropy has been gathered for it to start it should never
>> block.  One way to achieve this is to block boot progress early
>> enough in booting by reading from /dev/random, thus there'd be no
>> need for /dev/urandom to ever block.
> I can understand why you might want that, but that would be wrong
> with a capital W. The whole *point* of /dev/urandom is that it
> doesn't block. If you want blocking behavior, you should be calling
> /dev/random.

Alternatively, we could specify a /dev/nrandom which has the behavior 
Nico desires.

> The correct solution is to have early-stage boot code
> call /dev/random if it wants blocking behavior.

Except when /dev/random is equivalent to to /dev/urandom, as in OpenBSD 
and whatever Ben just posted from (FreeBSD perhaps?).

> (Note that I have completely ignored an argument of why blocking is
> rarely a good idea, which is the reason people call /dev/urandom. No
> one said software engineering was easy.)

"Don't block unless it's truly so soon after startup that the kernel's 
(nondecreasing) accumulated entropy estimate is pathologically low" 
ought to be a satisfiable requirement.

The guy who writes the ssh_keygen program shouldn't have to try to 
figure out if he's being called from /etc/rc*, he should be able to get 
what he needs from a standard device.

- Marsh

More information about the cryptography mailing list