I am not wedded to the xor decision, and I would not have dreamed it up. But looking at NSA's backdoor as an engineering problem, that xoring looks like a really hard thing for them to break. The secret silicon would have to be field upgradable to match specific kernel versions. There have been 32 changes to random.c in Linus' tree so far this year: random.c itself is a low-bandwidth entropy source!

Quite plausibly Intel's RNG *is* deterministic and they engineered a way to periodically leak that internal state, stego-style. But the xoring approach holds up to that just fine.

Still, looking through Linus' git, the xoring was taken out early this year. Instead data from Intel's rng is now used as SHA's initial vector. I would have liked a bit more aggressive use of that high bandwidth RNG, but it seems sound.

As for Matt Mackall quitting...in a zeal to accurate entropy accounting, wasn't he busily turning off every entropy source he couldn't characterize? (In other words, nearly all entropy sources?) That seemed like a really stupid thing--and quite a different approach from your more-is-better tinhatrandom design.

I was startled when I happened upon this in the code and I cold e-mailed him about it. He was pissed as hell that I would dare e-mail him and he was doing me a great favor to answer my e-mail to tell me he was pissed that I e-mailed him. (Okay, I exaggerate a little, but that was the taste in my mouth as *I* concluded he had to go.) Getting more entropy sources contributing seems a good thing and (as far as I observe) it is only possible now that Mackall is gone. Am I wrong?

-kb

_______________________________________________
Discuss mailing list
[email protected]
http://lists.blu.org/mailman/listinfo/discuss

Reply via email to