On 9/19/23 01:36, Roberto A. Foglietta wrote:
On Tue, 19 Sept 2023 at 03:25, Michael Conrad <[email protected]> wrote:On 9/18/23 06:14, Guillermo Rodriguez Garcia wrote:everything is compressed with gzip -7. This is the worst scenario. However, even in the worst scenario due to gzip one single bit of difference in the input generates a completely different compressed output: Compression (or any other deterministic manipulation of data) does not add any entropy (or "unpredictability") since the processing is 100% reproducible. In terms of entropy the output of the function is as good (or as bad) as the amount of entropy in the initial seed.Hi Michel, Even aside from that, using gzip as some sort of hash function is not going to be anywhere near as good as using an actual hash function, like sha256, sha1 or even md5. PREMISEHashing functions and compression algorithms are two completely different kinds of mathematical tools. The most obvious difference is that
That's a very large response so I'm not sure which part to quote, but I think you're still missing the point. Assuming your initialization of randomness is meant to stop people from guessing the RSA/SSL keys you generate on a small low-power device during startup scripts, the attacker will probably have a copy of your device and be able to replay any of the steps you take during your startup script. It will not matter whether you took a few random bits and a large static text and ran it through pigz before feeding it to /dev/urandom, because the attacker will start with guesses of the same few bits and also run them and that same static text through pigz to potentially get the same output. If they mirror your initialization of /dev/urandom, then they can try to guess your RSA keys. The only defense is having more actual bits of entropy, or preserving them from a previous boot in a manner that the attacker can't read.
My comment about hashing functions was implying that they would be used repeatedly, not that the entire input would be condensed into one single hash. Yes there is a reduction of entropy if you feed a hash function more than 20 bytes of data and only get 20 out of it. My point was that no hashing or compression is needed, because the kernel RNG is itself a sort of hash function and should handle that. Just feed it the raw input bytes.
-Mike
_______________________________________________ busybox mailing list [email protected] http://lists.busybox.net/mailman/listinfo/busybox
