At 9:02 AM +0300 8/11/99, Osma Ahvenlampi wrote:
>Arnold G. Reinhold <[EMAIL PROTECTED]> writes:
> > 1. Mr. Kelsey's argument that entropy should only be added in large
> > quanta is compelling, but I wonder if it goes far enough. I would
> > argue that entropy collected from different sources (disk, network,
> > sound card, user input, etc.) should be collected in separate pools,
> > with each pool taped only when enough entropy has been collected in
> > that pool.
>
>You have to realize that /dev/random entropy collection doesn't get
>one bit, add it to the pool, and increment the entropy counter. What
>happens is that it gets a notification for an interrupt along with the
>interrupt number, the keyboard scancode, or similar, reads a
>high-resolution clock (and gets 32 bits from there), and mixes these
>two numbers (40 bits, usually, I believe) to the pool, and tries to
>estimate how much entropy the time contained (by calculating first,
>second and third-order deltas and taking the smallest, I recall).
>
>So, for each 40 bits mixed into the pool, a few bits of entropy is
>credited. How do you propose quantizing this? Collecting all of the
>bits in a staging area and adding them when the entropy count is big
>enough?
That's the general idea. The details of "adding them" need to be discussed.
>That could mean a kilobit or more of staging area, and per
>your suggestion the driver would have to have several of them. Gets
>pretty unwieldy, quickly.
Maybe you'd need a killobyte all together? That seems quite wieldy to
me. Random number generation is one of the major vulnerabilities of
modern cryptographic systems, maybe the biggest. One KB is a very
cheap price to pay for a significant improvement in RNG security.
>Also, this design means that there's always at least 32 bits mixed
>into the pool at once, and it might not always increase the entropy
>count at all. In a sense, /dev/random already does quantized
>collection.
That idea won't fly, I'm afraid. We're talking about waiting until
you accumulate, say, 128 bits of entropy (some might prefer 256
bits), not raw data bits.
Arnold Reinhold
