On Feb 17, 2012, at 4:55 AM, Jack Lloyd wrote: > On Thu, Feb 16, 2012 at 09:41:04PM -0600, Nico Williams wrote: > >> developers agree). I can understand *portable* applications (and >> libraries) having entropy gathering code on the argument that they may >> need to run on operating systems that don't have a decent entropy >> provider. > > Another good reason to do this is resiliance - an application that > takes some bits from /dev/(u)random if it's there, but also tries > other approaches to gather entropy, and mixes them into a (secure) > PRNG, will continue to be safe even if a bug in the /dev/random > implementation (or side channel in the kernel that leaks pool bits, > etc) causes the conditional entropy of what it is producing to be > lower than perfect. I'm sure at some point we'll see a fiasco on the > order of the Debian OpenSSL problem with /dev/random in a major > distribution.
Note the "and mixes them into a (secure) PRNG". If the app developer does a bad (typical?) job and mixes them poorly, they can end up with less unpredictable bits than if they had just took the results from /dev/random. Looked at another way, if an app developer is going to do any processing on /dev/random, they should really look at the result as the app having its own fully-functional PRNG that has input from the OS, not the app making an "improvement" on the OS. --Paul Hoffman _______________________________________________ cryptography mailing list [email protected] http://lists.randombit.net/mailman/listinfo/cryptography
