bram
Wed, 4 Aug 1999 05:56:09 -0700
On Mon, 2 Aug 1999 [EMAIL PROTECTED] wrote: > Linux's /dev/random uses a very different design, in that it uses a > large pool to store the entropy. As long as you have enough entropy > (i.e., you don't overdraw on the pool's entropy), /dev/random isn't > relying on the cryptographic properties as much as Yarrow does. The problem is that the one bit of entropy for one bit of output rule creates the potential for lots of denial of service attacks where the entropy gets used up. There is no application which needs that amount of entropy. John Kelsey put it pretty well earlier this thread: Suppose God, in a fit of budget-consciouness, decides to get rid of all this wasteful hardware for generating random numbers that are necessary for quantum mechanics, and instead replaces them with a PRNG with a 256-bit seed. In this case, all hardware noise sources are ultimately tapping into this same seed and PRNG. How will you, or anyone, tell the difference? Most people don't know the fine-grained distinction between /dev/random and /dev/urandom. In fact, I'll bet most developers don't even know that /dev/urandom exists. As a result, lots of programs which require very large amounts of random numbers suck data out of /dev/random, creating a very large potential for unknown numbers of present and future problems. This entire class of problems can be eliminated completely by altering /dev/random to only block at bootup until it has enough entropy (or not at all if there was some stored on disk) and thereafter to spit out data as soon as it's requested. The complete threat model for RNG's, admittedly, has a number of attacks which seem very impractical under current circumstances, but since those attacks can be completely eliminated now prudence indicates doing so. That way, when circumstances arise in which one of those attacks is practical, we can make a little academic note which nobody cares about for it, rather than having to deal with a disaster. The other reason for changing the way /dev/random currently works is that the long output version of RIPEMD160 would make it just plain faster, since it would halve the amount of hashing done per byte of output. The goal is to make it so that any time someone wants random numbers they can go to /dev/random, with no required studying of entropy and threat models and all that yadda yadda yadda which most developers will rightfully recoil from getting into when all they want is a few random bytes. -Bram