On Wed, Dec 17, 2008 at 03:02:54PM -0500, Perry E. Metzger wrote: > The longer I'm in this field, the more the phrase "use with extreme > caution" seems to mean "don't use" to me. More and more, I think that > if you don't have a really good way to test and get assurance about a > component of your security architecture, you should leave that > component out.
But do beware of becoming something of a luddite w.r.t. entropy sources. If you can mix seeds into your entropy pool without destroying the entropy of your pool (and we agree that you can) while adding some of any entropy in your seeds (and we agree that you can), then why not? Yes, I saw your other message. Testing entropy pools and sources is hard if you want real entropy. One way to test the pool and its mixing function is to add and use a hook for supplying test vectors instead of real entropy for each source. But to test the operational system, if it has real entropy sources, is harder. So you might as well add in a fixed, manufacture-time seed + time/counter-based salting, as you suggested. And you'll still want to test the result, but you can only apply statistical analysis to the outputs to decide if they're random-*looking*. Having no entropy sources is not a good option for systems where the threat model requires good entropy sources (e.g., if you want PFS to prevent compromise of an end-point from compromising pre-compromise communications). IMO it's not wise to trivially reject an "all of the above" approach to entropy gathering. Nico -- --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [email protected]
