At 2:51 PM -0400 7/28/99, Steven M. Bellovin wrote:
>In message <v04011701b3c4f4fbabb1@[24.218.56.100]>, "Arnold G. Reinhold"
>writes
>> I'd spin it the other way. The best approach to making nonces -- DH
>> exponents, symetric keys, etc -- is to use a true source of randomness.
>> That eliminates one area of risk. However most computers do not come with
>> random number sources, so one uses unpredictable events and so on to glean
>> entropy. To harvest that entropy you use a whitener. If you use a
>> cryptographic function to do your whitening you get the added advantage of
>> shielding the randomness pool from an attacker.
>
>Define "best approach".
Perhaps I should have said "The best approach ... is to use a
*theoretically perfect* source of randomness." I tried to point out such
things don't exist and come to the same conclusion you do, namely "A sound
design mixes both."
At 11:16 AM -0700 7/28/99, Jon Callas wrote:
>At 10:49 AM -0400 7/28/99, Arnold G. Reinhold wrote:
>
> I believe the input mechanism Anonymous described *is* the RC4 key setup
> mechanism. In any case, I take Anonymous' remarks about the brittle nature
> of RC4 very seriously. I wouldn't mess with it just to double the entropy
> pool. If you think more entropy is needed, build a side buffer or run two
> copies of RC4.
>
>It doesn't double the entropy pool. It increases it from being order 256!
>to being order 512!.
Good point, but the ratio of log2(512!) to log2(256!) is only 2.3, a little
more than double the number of bits. That's not worth leaving the
accumulated body of RC4 analysis, IMHO.
>That's one of the places where we differ. I never directly add in entropy
>deposits. I run a separate entropy pool that is hash-based, and
>periodically tap that pool to update the secondary pool. I get really
>nervous about adding entropy directly into a single pool. I also like to
>capitalize on the properties of hash functions for prepping the entropy.
Can you say what you fear might happen if you directly add entropy
deposits? I don't see the problem.
Arnold Reinhold
