Re: Analysis of /dev/random

Adam Shostack (adam@homeport.org)
Fri, 9 Apr 1999 15:56:49 -0400

• Next message: mgraffam@idsi.net: "Re: Analysis of /dev/random"
• Previous message: Adam Shostack: "Re: Analysis of /dev/random"
• In reply to: mgraffam@idsi.net: "Re: Analysis of /dev/random"
• Next in thread: mgraffam@idsi.net: "Re: Analysis of /dev/random"
• Reply: mgraffam@idsi.net: "Re: Analysis of /dev/random"

On Fri, Apr 09, 1999 at 02:19:43PM -0400, mgraffam@idsi.net wrote:
| On Fri, 9 Apr 1999, Adam Shostack wrote:
| > | On Fri, 9 Apr 1999, David Honig wrote:
| > | > You would have to dump the *raw* bits coming in, measure their
| > | > entropy[1], and look at how many bits in for each bit out. Then you
| > | > would have a measure on physical-entropy-per-output bit.
|
| > On Fri, Apr 09, 1999 at 01:33:01PM -0400, mgraffam@idsi.net wrote:
| > | I'm looking into exporting another interface .. one that dumps the raw
| > | contents of the pool, w/o SHA. Now.. the question becomes, do we want
| > | the stirred pool (post-processed by the mixing function), or the virgin
| > | data?
|
|
| > Why would you ever want the pool directly available? There is
| > substantial risk there of the user being able to guess forward the
| > state of the pool, since the data is not being strongly avalanched in.
| > >From the innocent users perspective, there should be no difference
| > between getting random_pool, and sha-1(random_pool).
|
| In ordinary day-to-day life, you wouldn't want this feature enabled.
| But..
|
| Have you ever seen the entropy pool? I haven't. This is scary. The whole
| point is this discussion is to see just what sort of bits we are getting,
| and we can't do this if we hide everything behind SHA.

Oh, I see.

I'd suggest that a better way to do this is to look carefully at the
algorithm, and decide, if implemented correctly, it works well (I
suspend that in the case of (eg) a web server, it doesn't.) Once
you've done this, decide if the algorithm is implemented to spec.
In any event, I'm not sure you really learn anything interesting from
analyzing the bits in the pool; you need to look at attack models for
various attackers trying to learn things about the pool, and how well
they can maintain and abuse that knowledge over time.

I don't know if you saw my post to cypherpunks this morning, where I
suggest that the weakness of the algorithm is probably the weak mixing
function doesn't help the pool recover well from a state comprimise.

Adam

-- 
"It is seldom that liberty of any kind is lost all at once."
					               -Hume

• Next message: mgraffam@idsi.net: "Re: Analysis of /dev/random"
• Previous message: Adam Shostack: "Re: Analysis of /dev/random"
• In reply to: mgraffam@idsi.net: "Re: Analysis of /dev/random"
• Next in thread: mgraffam@idsi.net: "Re: Analysis of /dev/random"
• Reply: mgraffam@idsi.net: "Re: Analysis of /dev/random"