Re: CSPRNG stuff

bram (bram@gawth.com)
Sun, 7 Feb 1999 11:21:38 -0800 (PST)

• Next message: Ben Laurie: "Re: CSPRNG stuff"
• Previous message: Adam Shostack: "Re: CSPRNG stuff"
• In reply to: Ben Laurie: "Re: CSPRNG stuff"
• Next in thread: David R. Conrad: "Re: CSPRNG stuff"
• Reply: David R. Conrad: "Re: CSPRNG stuff"

In the midst of all the confusion about acronyms, I'm going to use the
following term for this post:

hamster - a creature who's entire purpose in life is to eat and poop, for
example a cryptographically strong continuously seeded pseudo random
number generator.

On Sun, 7 Feb 1999, David R. Conrad wrote:

> Here are a couple of quotes from linux/drivers/char/random.c; I have not
> made any attempt to check that the code operates as advertised
>
> * The two other interfaces are two character devices /dev/random and
> * /dev/urandom. /dev/random is suitable for use when very high
> * quality randomness is desired (for example, for key generation or
> * one-time pads), as it will only return a maximum of the number of
> * bits of randomness (as estimated by the random number generator)
> * contained in the entropy pool.

Nothing particularly strange there ...

> * The /dev/urandom device does not have this limit, and will return
> * as many bytes as are requested. As more and more random bytes are
> * requested without giving time for the entropy pool to recharge,
> * this will result in random numbers that are merely cryptographically
> * strong. For many applications, however, this is acceptable.

Well, it will behave that way when it's replaced with a hamster, anyhow. I
wonder what 'cryptographically strong' trickery is in the code for urandom
right now.

This introduces an interesting dilemma - if you're going to hamsterize the
linux random code, should you replace /dev/random, or should you stick to
what the documentation says and just replace /dev/urandom? I'd say the
former, since most applications read from /dev/random and they *never*
really need 1 bit of 'real' entropy per 1 bit of output (The
cryptographically strong substitution is indistinguishable so long as the
amount of entropy in the pool is sufficiently high.)

Unfortunately, neither random nor urandom is documented as possibly
encountering an IO problem when there just plain isn't any entropy around,
which is a behavior one certainly might want.

-Bram

• Next message: Ben Laurie: "Re: CSPRNG stuff"
• Previous message: Adam Shostack: "Re: CSPRNG stuff"
• In reply to: Ben Laurie: "Re: CSPRNG stuff"
• Next in thread: David R. Conrad: "Re: CSPRNG stuff"
• Reply: David R. Conrad: "Re: CSPRNG stuff"