At 08:02 PM 7/22/99 +0200, Anonymous wrote:
>> That is:
>> 1a') When there is entropy in the pool, it [/dev/urandom]
>> gobbles it all up before
>> acting like a PRNG. Leverage factor=1. This causes other applications to
>> stall if they need to read /dev/random.
>
>This does not seem to be a big problem, and in fact is arguably the right
>behavior.
>
>What it means is, /dev/urandom provides the best quality random numbers
>possible, given the entropy available.
Hmmmm. People usually take the "minimax" approach to security analysis;
that is, we design our defenses assuming the opponents make their best
move. Therefore I don't undestand the argument for using "best available"
bits.
ISTM that if a certain quality X+ is required, it should be required
always, unless proven otherwise. To say it the other way, if a certain
quality X- suffices sometimes it should suffice always, unless proven
otherwise.
In my case X- is the unreseeded PRNG behavior of /dev/urandom. The
designers of linux-ipsec have evidently decided this is good enough,
because that's where they get key material.
In my application, many keys will be generated during conditions where the
TRNG has been totally depleted. I must assume that attackers will know
this, and will be able to focus their attacks on those keys.
If you are telling me that the unreseeded PRNG is not good enough, then I
have deployed an insecure system. That would be bad, and there would be no
way to fix it short of a hardware TRNG.
OTOH if the unreseeded PRNG *is* good enough, then it is wastefully selfish
for it to gobble up all the TRNG bits. It is improper to assume that the
application that is gobbling up all the PRNG bits is the only application
running on this machine. In my case there are other applications for which
one could make a very good argument that they need TRNG bits under
conditions when IPsec does not.
Also......
At 12:40 PM 7/22/99 -0700, bram wrote in part:
>> In particular, consider the following reseeding schedule:
>> a) Every N minutes...
>> b) Every Z bits of PRNG output...
>> c) As soon as a quantum of TRNG material is available ...
>> ... whichever comes *LAST*, and where N and Z are chosen to ensure a good
>> leverage ratio.
>
>a) and b) don't help much - the true answer is c).
One could argue (a) and (b) *do* add something -- they address the problem
that started this thread, namely the seemingly-needless depletion of the TRNG.
Right?
