Appropriate sources of entropy

Posted May 24, 2008 8:10 UTC (Sat) by bronson (guest, #4806)
In reply to: Appropriate sources of entropy by ikm
Parent article: Appropriate sources of entropy

My point is, either you care about the strength of your random numbers or you don't.

If you care, you're using /dev/random and you only mix in strong entropy.  Mixing in weak
entropy seems harmless but will mask problems that would otherwise be obvious.  The Debian
situation.

If you don't care, then you're happy with a strong, well-seeded PRNG and there's no need to
mix in dubious random data.

Is there a middle ground?  I don't see one.

to post comments

Appropriate sources of entropy

Posted May 24, 2008 18:47 UTC (Sat) by ikm (subscriber, #493) [Link]

Any cryptographic PRNG needs to be reseeded once in a while, and some dubious data will do
just fine for that, given that it is mixed in in a cryptographically secure way. A box with
only a network connection is a good example of that -- it does not have much real entropy
coming in. You say that in absence of any trusted entropy a crypto PRNG is never to be
reseeded. I would disagree. One of the problem is what would happen if a seed file, which
stores state across reboots, is compromised. Another acoounts for any sort of weaknesses found
in a PRNG itself. If you need more details, see Schneier's Yarrow design paper, I could only
agree with what he had to say. The point is, sticking to the one initial seeding forever is a
bad idea.