On Fri, Aug 16, 2013 at 9:18 AM, Patrick Mylund Nielsen < cryptogra...@patrickmylund.com> wrote:
> Yes, but they aren't talking about urandom. Your reply made it sound like > random is weak, but the paper points to both (as urandom is seeded by > random), and they propose a new AES-based PRNG that accumulates entropy > properly. > I'm not sure if you feel the same way, but the opinion of many uneducated observers[1] seems to be that using a PRNG at all in these contexts is "insecure" when that is absolutely not the case, and for the most part there isn't a meaningful difference between the security of random vs urandom except that random will run out of entropy. The "urandom is insecure" claims are specifically what I was trying to challenge, and I hope this paper helps drive it home. If "urandom is insecure" it isn't more so than /dev/random [1]: http://arstechnica.com/security/2013/08/google-confirms-critical-android-crypto-flaw-used-in-5700-bitcoin-heist/?comments=1&post=25102733#comment-25102733 -- Tony Arcieri
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
