On 14/03/15 15:36, Jean-Pierre Münch wrote: > Hey everyone, > > as you may or may not know I'm currently modernizing Crypto++ to some > extent. > During some of my other research I noticed that the LibreSSL team decided > to drop their (OpenSSL's) PRNG. > They stated that it's not the job of the TLS library to provide users with > randomness but rather the OS's job. > > So here comes my question: > > How far do we trust the PRNGs of Windows (CryptGenRandom()) and UNIX > (/dev/random?)?
As far as I know a thing about crypto, I'm going to throw my opinion in this starting discussion, while it's still new ;) Me to, I think it's the OS's job to do rng. AFAIK, Linux does a fairly well job on that; it uses a lot of different sources for entropy. Sources which CryptoPP/userland cannot acces: Intel CPU entropy generator, network chatter, USB chatter. I would trust my /dev/random. I wouldn't trust Windows' RNG though, but I wouldn't trust any randomgenerator on a closed source system. > > Is it neccesssary to find any source of potential entropy we can get or do > we just sit there and use the entropy the OS provides to us? > > Depending on your answers I'll adapt my Fortuna implementation (if we trust > in the OS, the OS will feed the pools, if not I have to do it). > > Now the master question: DO we even CAN get GOOD entropy in USERLAND? (-> > Crypto++'s main usage) > > BR > > JPM > -- -- You received this message because you are subscribed to the "Crypto++ Users" Google Group. To unsubscribe, send an email to [email protected]. More information about Crypto++ and this group is available at http://www.cryptopp.com. --- You received this message because you are subscribed to the Google Groups "Crypto++ Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. For more options, visit https://groups.google.com/d/optout.
signature.asc
Description: OpenPGP digital signature
