Re: Analysis of /dev/random

mgraffam@idsi.net
Fri, 9 Apr 1999 15:32:35 -0400 (EDT)

• Next message: Daniel J. Frasnelli: "Re: Linux/axp results"
• Previous message: mgraffam@idsi.net: "/dev/random analysis on Linux/x86"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"

On Fri, 9 Apr 1999, Adam Shostack wrote:

> On Fri, Apr 09, 1999 at 02:19:43PM -0400, mgraffam@idsi.net wrote:
> | Have you ever seen the entropy pool? I haven't. This is scary. The whole
> | point is this discussion is to see just what sort of bits we are getting,
> | and we can't do this if we hide everything behind SHA.

> I'd suggest that a better way to do this is to look carefully at the
> algorithm, and decide, if implemented correctly, it works well (I
> suspend that in the case of (eg) a web server, it doesn't.)

>From my POV, this can't tell us much in this case.

random.c is a piece of code for harvesting entropy from the state of the
machine.

I am confident that the theory of random.c follows if we accept the idea
that the machine state gives us decent entropy..

What I am wondering is very simple.. I know that disk IRQ timing is going
to give us some entropy.. and I know that keyboard and mouse clicks will
give us some more.. but how much?

This we can't tell from looking at the code, or analyzing the algorithm.

I am an empiricist.. I want to see the entropy pool. I'd be surprised
if it has a distribution anything like SHA.. if it doesn't then we can
apply well known techniques for estimating how much entropy is in there,
and modify the code to distill the pool down to that number of bits with
SHA.

> In any event, I'm not sure you really learn anything interesting from
> analyzing the bits in the pool; you need to look at attack models for
> various attackers trying to learn things about the pool, and how well
> they can maintain and abuse that knowledge over time.

Lets assume for a moment, that during an average load, a machine's
pool contains 4 bits/byte of entropy. Now, for the sake of argument..
if random.c puts out 5 bits/byte .. we are in trouble, aren't we?

In practice, random.c keeps an estimate of the usable entropy in the pool.
How good is this estimate?

This is what I want to see analyzed.

Michael J. Graffam (mgraffam@idsi.net)
Be a munitions trafficker: http://www.dcs.ex.ac.uk/~aba/rsa/rsa-keygen.html

#!/bin/perl -sp0777i<X+d*lMLa^*lN%0]dsXx++lMlN/dsM0<j]dsj
$/=unpack('H*',$_);$_=`echo 16dio\U$k"SK$/SM$n\EsN0p[lN*1
lK[d2%Sa2/d0$^Ixp"|dc`;s/\W//g;$_=pack('H*',/((..)*)$/)

• Next message: Daniel J. Frasnelli: "Re: Linux/axp results"
• Previous message: mgraffam@idsi.net: "/dev/random analysis on Linux/x86"
• In reply to: Mail System Internal Data: "DON'T DELETE THIS MESSAGE -- FOLDER INTERNAL DATA"