shawn wilson <ag4ve...@gmail.com> wrote: > I thought that decent crypto programs (openssh, openssl, tls suites) > should read from random so they stay secure and don't start generating > /insecure/ data when entropy runs low.
(Talking about Linux, the only system where I know the details) urandom uses cryptographically strong mixing (SHA-1) and has enormous state, so it should be secure barring pathological cases like the router vendors whose version of Linux failed to initialise things properly or an enemy who already has root on your system so he/she can look at kernel internals. (and that enemy has much better targets to go after). Papers like Yarrow with respected authors argue convincingly that systems with far smaller state can be secure. > The only way I could see this > as being a smart thing to do is if these programs also looked at how > much entropy the kernel had and stopped when it got ~50 or so. Is this > the way things are done when these programs use urandom or what? That would make no sense since the interface provides another way to get the effect. If you really need guaranteed entropy, for example to generate a long-term key, then use /dev/random. The driver then checks the entropy and blocks (makes your program wait) if there is not enough. _______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography