Arnold G. Reinhold
Tue, 10 Aug 1999 07:48:19 -0700
I have found this discussion very stimulating and enlightening. I'd like to make a couple of comments: 1. Mr. Kelsey's argument that entropy should only be added in large quanta is compelling, but I wonder if it goes far enough. I would argue that entropy collected from different sources (disk, network, sound card, user input, etc.) should be collected in separate pools, with each pool taped only when enough entropy has been collected in that pool. Mixing sources gives an attacker added opportunities. For example, say entropy is being mixed from disk accesses and from network activity. An attacker could flood his target with network packets he controlled, insuring that there would be few disk entropy deposits in any given quanta release. On the other hand, if the entropy were collected separately, disk activity entropy would completely rekey the PRNG whenever enough accumulated, regardless of network manipulation. Similarly, in a system with a hardware entropy source, adding disk entropy in a mixing mode would serve little purpose, but if the pools were kept separate, disk entropy would be a valuable backup in case the hardware source failed or were compromised. 2. It seems clear that the best solution combines strong crypto primitives with entropy collection. I wonder how much of the resistance expressed in this thread by has to do with concerns about performance. For this reason, I think RC4 deserves further consideration. It is very fast and has a natural entropy pool built in. With some care, I believe RC4 can be used in such a way that attacks on the PRNG can be equated to an attacks on RC4 as a cipher. The cryproanalytic significance of RC4's imperfect whiteness is questionable and can be addressed in a number of ways, if needed. I have some thoughts on a fairly simple and efficient multi-pool PRNG design based on RC4, if anyone is interested. 3. With regard to diskless nodes, I suggest that the cryptographic community should push back by saying that some entropy source is a requirement and come up with a specification (minimum bit rate, maximum acceptable color, testability, open design, etc.). An entropy source spec would reward Intel for doing the right thing and encourage other processor manufacturers to follow their lead. A hardware RNG can also be added at the board level. This takes careful engineering, but is not that expensive. The review of the Pentium III RNG on www.cryptography.com seems to imply that Intel is only claiming patent protection on its whitening circuit, which is superfluous, if not harmful. If so, their RNG design could be copied. Arnold Reinhold