[cryptography] urandom vs random

Patrick Mylund Nielsen cryptography at patrickmylund.com
Fri Aug 16 12:18:55 EDT 2013


On Fri, Aug 16, 2013 at 12:03 PM, Tony Arcieri <bascule at gmail.com> wrote:

> On Fri, Aug 16, 2013 at 8:47 AM, Patrick Mylund Nielsen <
> cryptography at patrickmylund.com> wrote:
>
>> Not for nothing, but that refers to both random and urandom, showing one
>> problem with the entropy estimation, and another with the pool mixing
>> function.
>>
>
> "Finally, we propose a simple and very efficient PRNG construction that is
> provably robust in our new and stronger adversarial model. We therefore
> recommend to use this construction whenever a PRNG with input is used for
> cryptography."
>

Yes, but they aren't talking about urandom. Your reply made it sound like
random is weak, but the paper points to both (as urandom is seeded by
random), and they propose a new AES-based PRNG that accumulates entropy
properly. Here's the whole conclusion:

"We have proposed a new property for PRNG with input, that captures how it
should accumulate the entropy of the input data into the internal state.
This property actually expresses the real expected behavior of a PRNG after
a state compromise, where it is expected that the PRNG quickly recovers
enough entropy. We gave a precise assessment of Linux PRNG /dev/random and
/dev/urandom security. In particular, we prove that these PRNGs are not
robust. These properties are due to the behavior of the entropy estimator
and the mixing function used to refresh its internal state. As pointed by
Barak and Halevi [BH05], who advise against using run-time entropy
estimation, we have shown vulnerabilities on the entropy estimator due to
its use when data is transferred between pools in Linux PRNG. We therefore
recommend that the functions of a PRNG do not rely on such an estimator.
Finally, we proposed a PRNG with input construction that meets our new
property in the standard model. We therefore recommend to use this
construction whenever a PRNG with input is used for cryptography"

And from the introduction:

"On a practical side, we give a precise assessment of the security of the
two Linux PRNGs, /dev/random and /dev/urandom. In particular, we prove that
these PRNGs are not robust and do not accumulate entropy properly. These
properties are due to the behavior of the entropy estimator and the
internal mixing function of the Linux PRNGs. We also analyze the PRNG with
input proposed by Barak and Halevi. This scheme was proven robust in [BH05]
but we prove that it does not generically satisfy our expected property of
entropy accumulation. On the positive side, we propose a PRNG construction
that is robust in the standard model and in our new stronger adversarial
model."

There is a much more in-depth comparison starting in section 5.1.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130816/31843464/attachment.html>


More information about the cryptography mailing list