Arnold G. Reinhold
Wed, 11 Aug 1999 07:07:19 -0700
At 9:02 AM +0300 8/11/99, Osma Ahvenlampi wrote: >Arnold G. Reinhold <[EMAIL PROTECTED]> writes: > > 1. Mr. Kelsey's argument that entropy should only be added in large > > quanta is compelling, but I wonder if it goes far enough. I would > > argue that entropy collected from different sources (disk, network, > > sound card, user input, etc.) should be collected in separate pools, > > with each pool taped only when enough entropy has been collected in > > that pool. > >You have to realize that /dev/random entropy collection doesn't get >one bit, add it to the pool, and increment the entropy counter. What >happens is that it gets a notification for an interrupt along with the >interrupt number, the keyboard scancode, or similar, reads a >high-resolution clock (and gets 32 bits from there), and mixes these >two numbers (40 bits, usually, I believe) to the pool, and tries to >estimate how much entropy the time contained (by calculating first, >second and third-order deltas and taking the smallest, I recall). > >So, for each 40 bits mixed into the pool, a few bits of entropy is >credited. How do you propose quantizing this? Collecting all of the >bits in a staging area and adding them when the entropy count is big >enough? That's the general idea. The details of "adding them" need to be discussed. >That could mean a kilobit or more of staging area, and per >your suggestion the driver would have to have several of them. Gets >pretty unwieldy, quickly. Maybe you'd need a killobyte all together? That seems quite wieldy to me. Random number generation is one of the major vulnerabilities of modern cryptographic systems, maybe the biggest. One KB is a very cheap price to pay for a significant improvement in RNG security. >Also, this design means that there's always at least 32 bits mixed >into the pool at once, and it might not always increase the entropy >count at all. In a sense, /dev/random already does quantized >collection. That idea won't fly, I'm afraid. We're talking about waiting until you accumulate, say, 128 bits of entropy (some might prefer 256 bits), not raw data bits. Arnold Reinhold