From: "Theodore Ts'o" <tytso@mit.edu>
To: David Wagner <daw-usenet@taverner.cs.berkeley.edu>
Cc: linux-kernel@vger.kernel.org
Subject: Re: Fortuna
Date: Wed, 20 Apr 2005 03:06:30 -0400 [thread overview]
Message-ID: <20050420070630.GB7997@thunk.org> (raw)
In-Reply-To: <d421jj$vi$1@abraham.cs.berkeley.edu>
On Tue, Apr 19, 2005 at 04:31:47AM +0000, David Wagner wrote:
> Theodore Ts'o wrote:
> >For one, /dev/urandom and /dev/random don't use the same pool
> >(anymore). They used to, a long time ago, but certainly as of the
> >writing of the paper this was no longer true. This invalidates the
> >entire last paragraph of Section 5.3.
>
> Ok, you're right, this is a serious flaw, and one that I overlooked.
> Thanks for elaborating. (By the way, has anyone contacted to let them
> know about these two errors? Should I?)
I don't know of anyone who has contacted the authors yet. I haven't
had the time, since I'm currently travelling at the moment.
> I see three remaining criticisms from their Section 5.3:
> 1) Due to the way the documentation describes /dev/random, many
> programmers will choose /dev/random by default. This default
> seems inappropriate and unfortunate.
> 2) There is a widespread perception that /dev/urandom's security is
> unproven and /dev/random's is proven. This perception is wrong.
> On a related topic, it is "not at all clear" that /dev/random provides
> information-theoretic security.
> 3) Other designs place less stress on the entropy estimator, and
> thus are more tolerant to failures of entropy estimation. A failure
> in the entropy estimator seems more likely than a failure in the
> cryptographic algorithms.
> These three criticisms look right to me.
/dev/urandom is a cryptographic RNG, which is seeded from RNG.
/dev/random uses a very similar cryptographic RNG, but it uses large
pool to collect entropy, and uses an entropy estimator to limit the
amount of data that can be extracted from the rng.
If the entropy estimator fails, /dev/random degrades to a
cryptographic RNG. So it is not a disaster, whereas the approach
described in this paper (which uses a non-cryptographic extractor)
would seem to me to be *more* prone to catastrophically failure if the
entropy estimator fails than /dev/random.
As to whether or not applications should be using /dev/random or
/dev/urandom, /dev/random is no worse than /dev/urandom, as long as
the application doesn't mind blocking when the entropy levels are too
low. In practice, most of the time this situation doesn't arise since
the appropriate way of using /dev/random is only to extract a small
amount of entropy when needed to generate long-term keys, or when
seeding a userspace cryptographic RNG for session keys.
- Ted
next prev parent reply other threads:[~2005-04-20 21:35 UTC|newest]
Thread overview: 41+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-14 14:15 Fortuna linux
2005-04-14 13:33 ` Fortuna Theodore Ts'o
2005-04-15 1:34 ` Fortuna linux
2005-04-15 14:42 ` Fortuna Theodore Ts'o
2005-04-15 15:38 ` Fortuna linux
2005-04-15 18:23 ` Fortuna Theodore Ts'o
2005-04-15 16:22 ` Fortuna Jean-Luc Cooke
2005-04-15 16:50 ` Fortuna linux
2005-04-15 17:04 ` Fortuna Jean-Luc Cooke
2005-04-16 10:05 ` Fortuna linux
2005-04-16 15:46 ` Fortuna Jean-Luc Cooke
2005-04-16 17:16 ` Fortuna linux
2005-04-16 19:22 ` Fortuna Matt Mackall
2005-04-16 19:00 ` Fortuna Matt Mackall
2005-04-17 0:19 ` Fortuna David Wagner
2005-04-16 1:28 ` Fortuna David Wagner
2005-04-15 19:34 ` Fortuna Matt Mackall
2005-04-16 1:25 ` Fortuna David Wagner
2005-04-19 19:27 ` Fortuna Patrick J. LoPresti
2005-04-14 14:52 ` Fortuna Jean-Luc Cooke
2005-04-15 0:52 ` Fortuna linux
2005-04-16 1:19 ` Fortuna David Wagner
2005-04-16 1:08 ` Fortuna David Wagner
2005-04-18 19:13 ` Fortuna Matt Mackall
2005-04-18 21:40 ` Fortuna David Wagner
2005-04-19 4:01 ` Fortuna Theodore Ts'o
2005-04-19 4:31 ` Fortuna David Wagner
2005-04-20 7:06 ` Theodore Ts'o [this message]
-- strict thread matches above, loose matches on Subject: below --
2005-04-17 9:21 Fortuna linux
2005-04-16 11:44 Fortuna linux
2005-04-16 11:10 Fortuna linux
2005-04-16 15:06 ` Fortuna Jean-Luc Cooke
2005-04-16 16:30 ` Fortuna linux
2005-04-17 0:37 ` Fortuna David Wagner
2005-04-16 23:40 ` Fortuna David Wagner
2005-04-17 0:36 ` Fortuna David Wagner
2005-04-13 23:43 Fortuna Jean-Luc Cooke
2005-04-14 0:09 ` Fortuna Matt Mackall
2005-04-14 0:26 ` Fortuna Jean-Luc Cooke
2005-04-14 0:44 ` Fortuna Matt Mackall
2005-04-16 1:02 ` Fortuna David Wagner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20050420070630.GB7997@thunk.org \
--to=tytso@mit.edu \
--cc=daw-usenet@taverner.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox