[cryptography] urandom vs random

Patrick Mylund Nielsen cryptography at patrickmylund.com
Fri Aug 16 15:49:21 EDT 2013


On Fri, Aug 16, 2013 at 3:30 PM, Tony Arcieri <bascule at gmail.com> wrote:

> On Fri, Aug 16, 2013 at 9:18 AM, Patrick Mylund Nielsen <
> cryptography at patrickmylund.com> wrote:
>
>> Yes, but they aren't talking about urandom. Your reply made it sound like
>> random is weak, but the paper points to both (as urandom is seeded by
>> random), and they propose a new AES-based PRNG that accumulates entropy
>> properly.
>>
>
> I'm not sure if you feel the same way, but the  opinion of many uneducated
> observers[1] seems to be that using a PRNG at all in these contexts is
> "insecure" when that is absolutely not the case, and for the most part
> there isn't a meaningful difference between the security of random vs
> urandom except that random will run out of entropy.
>

Ignoring the veiled insult: I don't, but I still recognize that they're not
identical (at least on Linux.) There's no meaningful difference in most
cases, i.e. when nobody's observing the output, or if the CSPRNG has no
biases. Using /dev/urandom in general is fine. Either way, that's beside
the point.


> The "urandom is insecure" claims are specifically what I was trying to
> challenge, and I hope this paper helps drive it home. If "urandom is
> insecure" it isn't more so than /dev/random
>

You replied with a link to a paper that states that both /dev/random and
/dev/urandom have the same weaknesses, and said that "/dev/random isn't
robust." Neither of them are, so what the paper drove home is that both
have vulnerabilities, not that /dev/random is worse than /dev/urandom
(which must clearly be false since /dev/urandom is a PRNG seeded by
/dev/random.) That is all I'm pointing out.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.randombit.net/pipermail/cryptography/attachments/20130816/56110fa7/attachment.html>


More information about the cryptography mailing list