On Fri, Aug 16, 2013 at 3:30 PM, Tony Arcieri <basc...@gmail.com> wrote:
> On Fri, Aug 16, 2013 at 9:18 AM, Patrick Mylund Nielsen < > cryptogra...@patrickmylund.com> wrote: > >> Yes, but they aren't talking about urandom. Your reply made it sound like >> random is weak, but the paper points to both (as urandom is seeded by >> random), and they propose a new AES-based PRNG that accumulates entropy >> properly. >> > > I'm not sure if you feel the same way, but the opinion of many uneducated > observers[1] seems to be that using a PRNG at all in these contexts is > "insecure" when that is absolutely not the case, and for the most part > there isn't a meaningful difference between the security of random vs > urandom except that random will run out of entropy. > Ignoring the veiled insult: I don't, but I still recognize that they're not identical (at least on Linux.) There's no meaningful difference in most cases, i.e. when nobody's observing the output, or if the CSPRNG has no biases. Using /dev/urandom in general is fine. Either way, that's beside the point. > The "urandom is insecure" claims are specifically what I was trying to > challenge, and I hope this paper helps drive it home. If "urandom is > insecure" it isn't more so than /dev/random > You replied with a link to a paper that states that both /dev/random and /dev/urandom have the same weaknesses, and said that "/dev/random isn't robust." Neither of them are, so what the paper drove home is that both have vulnerabilities, not that /dev/random is worse than /dev/urandom (which must clearly be false since /dev/urandom is a PRNG seeded by /dev/random.) That is all I'm pointing out.
_______________________________________________ cryptography mailing list cryptography@randombit.net http://lists.randombit.net/mailman/listinfo/cryptography
