From: "Theodore Ts'o" <tytso@mit.edu>
To: David Wagner <daw-usenet@taverner.cs.berkeley.edu>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Fortuna
Date: Tue, 19 Apr 2005 00:01:16 -0400 [thread overview]
Message-ID: <20050419040116.GA6517@thunk.org> (raw)
In-Reply-To: <d419gl$qvq$2@abraham.cs.berkeley.edu>
On Mon, Apr 18, 2005 at 09:40:37PM +0000, David Wagner wrote:
> Yes, that is a minor glitch, but I believe all their points remain
> valid nonetheless. My advice is to apply the appropriate s/MD5/SHA1/g
> substitution, and re-read the paper to see what you can get out of it.
>
> The problem is not that the paper is shallow; it is not. The source
> of the error is likely that this paper was written by theorists, not
> implementors. There are important things we can learn from them, and I
> think it is worth reading their paper carefully to understand what they
> have to offer.
Since the paper was written by theorists, it appears that they didn't
bother to read the implementation, but instead made assumptions from
the man pages, as well as making the assumption that the man page
(which was not written as a specification from which the code was
implemented, and indeed was not even written by the code authors) was
in fact an accurate representation of drivers/char/random.c.
So section 5.3 is essense a criticism of a straw man implementation
based on a flawed reading of a flawed man page. Other than that, it's
fine. :-)
> I believe they raise substantial and deep questions in their Section 5.3.
> I don't see why you say Section 5.3 is all wrong. Can you elaborate?
> Can you explain one or two of the substantial errors you see?
For one, /dev/urandom and /dev/random don't use the same pool
(anymore). They used to, a long time ago, but certainly as of the
writing of the paper this was no longer true. This invalidates the
entire last paragraph of Section 5.3.
The criticisms of the /dev/random man page do have some point, but the
man page != the implementation. Also, the paper does not so much make
an attack on the entropy estimator, so much as it casts asperions on
it, while at the same time making the unspoken assumption that
cryptographic primitives are iron-clad and unbreakable.
So I don't see any particular substantial deep questions, unless you
count, "It is not at all clear that /dev/random ... provides
information-theoretic security. Indeed, we suspect it sometimes
doesn't" as a deep question. I don't.
- Ted
next prev parent reply other threads:[~2005-04-19 4:01 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-14 14:15 Fortuna linux
2005-04-14 13:33 ` Fortuna Theodore Ts'o
2005-04-15 1:34 ` Fortuna linux
2005-04-15 14:42 ` Fortuna Theodore Ts'o
2005-04-15 15:38 ` Fortuna linux
2005-04-15 18:23 ` Fortuna Theodore Ts'o
2005-04-15 16:22 ` Fortuna Jean-Luc Cooke
2005-04-15 16:50 ` Fortuna linux
2005-04-15 17:04 ` Fortuna Jean-Luc Cooke
2005-04-16 10:05 ` Fortuna linux
2005-04-16 15:46 ` Fortuna Jean-Luc Cooke
2005-04-16 17:16 ` Fortuna linux
2005-04-16 19:22 ` Fortuna Matt Mackall
2005-04-16 19:00 ` Fortuna Matt Mackall
2005-04-17 0:19 ` Fortuna David Wagner
2005-04-16 1:28 ` Fortuna David Wagner
2005-04-15 19:34 ` Fortuna Matt Mackall
2005-04-16 1:25 ` Fortuna David Wagner
2005-04-19 19:27 ` Fortuna Patrick J. LoPresti
2005-04-14 14:52 ` Fortuna Jean-Luc Cooke
2005-04-15 0:52 ` Fortuna linux
2005-04-16 1:19 ` Fortuna David Wagner
2005-04-16 1:08 ` Fortuna David Wagner
2005-04-18 19:13 ` Fortuna Matt Mackall
2005-04-18 21:40 ` Fortuna David Wagner
2005-04-19 4:01 ` Theodore Ts'o [this message]
2005-04-19 4:31 ` Fortuna David Wagner
2005-04-20 7:06 ` Fortuna Theodore Ts'o
-- strict thread matches above, loose matches on Subject: below --
2005-04-17 9:21 Fortuna linux
2005-04-16 11:44 Fortuna linux
2005-04-16 11:10 Fortuna linux
2005-04-16 15:06 ` Fortuna Jean-Luc Cooke
2005-04-16 16:30 ` Fortuna linux
2005-04-17 0:37 ` Fortuna David Wagner
2005-04-16 23:40 ` Fortuna David Wagner
2005-04-17 0:36 ` Fortuna David Wagner
2005-04-13 23:43 Fortuna Jean-Luc Cooke
2005-04-14 0:09 ` Fortuna Matt Mackall
2005-04-14 0:26 ` Fortuna Jean-Luc Cooke
2005-04-14 0:44 ` Fortuna Matt Mackall
2005-04-16 1:02 ` Fortuna David Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050419040116.GA6517@thunk.org \
--to=tytso@mit.edu \
--cc=daw-usenet@taverner.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox