[cryptography] urandom vs random

Yazid Boukeroui yboukerr at vt.edu
Wed Aug 21 01:29:06 EDT 2013


In terms of usability engineering, /dev/random is fairly cumbersome and in dire need of reform and expansion.

A user, might want more control of /dev/random - which sources of entropy, when, and which applications. e.g. I want my Geiger counter to feed communications and radio noise to feed data. I want 3000 from 9am-5pm and 200 otherwise. I want all this'd in a GUI or config file.

A developer, might want to tell /dev/random "don't give me keyboard and mouse crap, instead give me 80% rdrand and 20% audio source."

Naturally, the better alternative is a widely implemented open sources TRNG, but good luck convincing manufacturers. So why concentrate on what you can't fix. Reform /dev/random and empower user and developer with choice over quality and amount of randomness!

Randomness is hard to prove but you can test quality with dierharder.


Open eSignForms <yozons at gmail.com> wrote:
>We all know that randomness is required for good crypto, but what is
>the a
>measurable difference in the quality of the crypto if using a Linux
>PRNG
>(or in our case the Java SecureRandom PRNG)?  How much easier is it to
>crack an encrypted file done with such weaker PRNGs compared to the
>hardware RNGs, especially if it's so hard to determine the quality of
>the
>randomness.
>
>
>On Tue, Aug 20, 2013 at 4:10 PM, James A. Donald <jamesd at echeque.com>
>wrote:
>
>> On 2013-08-21 7:33 AM, grarpamp wrote:
>>
>>> The subject thread is covering a lot about OS implementations
>>> and RNG various sources. But what are the short list of open
>>> source tools we should be using to actually test and evaluate
>>> the resulting number streams?
>>> ______________________________**_________________
>>>
>>>
>> You cannot test and evaluate a supposedly random number stream. True
>> randomness and cryptographically strong pseudo randomness are not
>directly
>> observable qualities.
>>
>> You have to look at the underlying generation mechanism and deduce
>> randomness, or the lack thereof.
>>
>> If you apply a whitening expander to the source stream
>....0000000.... the
>> output stream will look convincingly random, but will be completely
>non
>> random to anyone who knows the whitening expander and knows or
>suspects
>> that the source stream is completely non random
>> ______________________________**_________________
>> cryptography mailing list
>> cryptography at randombit.net
>>
>http://lists.randombit.net/**mailman/listinfo/cryptography<http://lists.randombit.net/mailman/listinfo/cryptography>
>>
>
>
>------------------------------------------------------------------------
>
>_______________________________________________
>cryptography mailing list
>cryptography at randombit.net
>http://lists.randombit.net/mailman/listinfo/cryptography

-- 
Yazid Boukerroui


More information about the cryptography mailing list