Re: Intel announcements at RSA '99

[Colin Plumb]

>From [EMAIL PROTECTED]  Tue Jan 26 16:18:13 1999
Return-Path: <[EMAIL PROTECTED]>
Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.30.102])
        by nyx10.nyx.net (8.8.8/8.8.8/esr) with ESMTP id QAA07772
        for <[EMAIL PROTECTED]>; Tue, 26 Jan 1999 16:18:08 -0700 (MST)
X-Nyx-Envelope-Data: Date=Tue Jan 26 16:18:08 1999, [EMAIL PROTECTED], 
Recipient=<[EMAIL PROTECTED]>, Valsender=mail-blue.research.att.com [135.207.30.102]
Received: from postal.research.att.com (postal.research.att.com [135.207.23.30])
        by mail-blue.research.att.com (Postfix) with ESMTP
        id 442AB4CEBD; Tue, 26 Jan 1999 18:18:07 -0500 (EST)
Received: from postal.research.att.com (localhost [127.0.0.1])
        by postal.research.att.com (8.8.7/8.8.7) with ESMTP id SAA12079;
        Tue, 26 Jan 1999 18:17:51 -0500 (EST)
Message-Id: <[EMAIL PROTECTED]>
To: Colin Plumb <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED], [EMAIL PROTECTED],
        [EMAIL PROTECTED], [EMAIL PROTECTED]
Subject: Re: Intel announcements at RSA '99 
Date: Tue, 26 Jan 1999 18:17:50 -0500
From: Steve Bellovin <[EMAIL PROTECTED]>
Status: R

Steve Bellovin wrote:
> What I was told at RSA was that the SHA-1 whitening was done by the driver.
> The driver (I think it was the driver, rather than the hardware) also does
> its own quality checks on the hardware RNG.

Ah, good, somebody at Intel gets the point.

>> (I'm also curious what people think is a good rate.  I think we surprised
>> them by saying that one bit per second was adequate.  Anything more can
>> be generated by cryptographic means.)

> I asked about speed; I was told that that isn't public yet.  I do not
> agree that one bit per second is adequate.  Apart from any question of
> the strength of the cryptographic RNG, it means that it would take many
> minutes to have enough entropy for even a single true-random DH exchange.
> Their own goal was "fast enough for IPSEC", which is not that fast, though
> more, I would guess, than your statement.

Yes, this is a number I do know (it came up in the same conversation),
and it's rather a lot more than 1 bit per second. :-)

But I still think that given a reasonable amount of seed material,
I can do cryptographic "reprocessing of spent fuel" basically forever
with good security.  More is nice, but I do think that 1 bit per second
is all that is *necessary* for 95% of the benefit.
-- 
        -Colin