On Thu, Feb 16, 2012 at 09:41:04PM -0600, Nico Williams wrote: > developers agree). I can understand *portable* applications (and > libraries) having entropy gathering code on the argument that they may > need to run on operating systems that don't have a decent entropy > provider.
Another good reason to do this is resiliance - an application that takes some bits from /dev/(u)random if it's there, but also tries other approaches to gather entropy, and mixes them into a (secure) PRNG, will continue to be safe even if a bug in the /dev/random implementation (or side channel in the kernel that leaks pool bits, etc) causes the conditional entropy of what it is producing to be lower than perfect. I'm sure at some point we'll see a fiasco on the order of the Debian OpenSSL problem with /dev/random in a major distribution. Contemplate, if you will, this /dev/random implementation: http://syllable.cvs.sourceforge.net/viewvc/syllable/syllable/system/sys/kernel/drivers/misc/random/random.c?revision=1.4&view=markup http://syllable.cvs.sourceforge.net/viewvc/syllable/syllable/system/sys/kernel/kernel/random.c?revision=1.5&view=markup -Jack _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
