On Sun, 23 Jul 2000, Mark Murray wrote:
> Erm, read 4.1 again :-). The paragraph that begins "One approach..." is
> the old approach. It is also the approach that you are advocating.
> The next paragraph "Yarrow takes..." is Yarrow, and the current
"The strength of the first approach is that, if properly designed, it is
possible to get unconditional security from the PRNG."
This is a good thing :-)
> It should not use the old method, which is attackable for many
> reasons that Schneier makes clear. (Effectively a 128 bit hash with
> a reseed ("stir") every read. Can you spell "Iterative attack"? :-) ).
> Where does that leave us?
> How good were our old numbers? How many users have I screwed by
> implementing that system?
Please understand that this is not a personal attack - I appreciate your
work, and welcome it in FreeBSD. My concern is with what Yarrow does not
do, but which FreeBSD needs: a PRNG which is capable of generating
arbitrarily large keys.
> How do we fix it? What accumulation algorithm do we use that does not
> clue the reader into what the internal state is?
I suggest we ask Bruce Schneier instead of bantering back and forth about
the issue. I claim (supported by the quote above) that it's possible to
implement such a system securely and have it co-exist with Yarrow.
> _My_ point is that the old system is broken, and that IMO Yarrow is a
> good replacement. (I support my point by noting that Schneier is a far
> better cryptographer than I, and he designed the algorithm that I
Yarrow is a good replacement for /dev/urandom. However it doesn't provide
features which I believe are necessary, namely the ability to generate
high-entropy keys of arbitrary size, without severely impacting on PRNG
performance by constantly reseeding.
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <[EMAIL PROTECTED]>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message