> On Sun, 23 Jul 2000, Mark Murray wrote:
> > Erm, read 4.1 again :-). The paragraph that begins "One approach..." is
> > the old approach. It is also the approach that you are advocating.
> > 
> > The next paragraph "Yarrow takes..." is Yarrow, and the current
> > implementation.
> "The strength of the first approach is that, if properly designed, it is
> possible to get unconditional security from the PRNG."

"if properly designed" is the key phrase. The previous on was not, and
I do not have the cryptographic skill to do so.

> This is a good thing :-)

In theory :-). In practice, we have no algorithms to go on.

> Please understand that this is not a personal attack - I appreciate your
> work, and welcome it in FreeBSD. My concern is with what Yarrow does not
> do, but which FreeBSD needs: a PRNG which is capable of generating
> arbitrarily large keys.

We are limited by the rate at which we can harvest entropy. The PC
platform has quite close to Jack Shite available if there is no-one
one the keyboard.

> > How do we fix it? What accumulation algorithm do we use that does not
> > clue the reader into what the internal state is?
> I suggest we ask Bruce Schneier instead of bantering back and forth about
> the issue. I claim (supported by the quote above) that it's possible to
> implement such a system securely and have it co-exist with Yarrow.

In theory, yes. I'll ask Schneier. He's already said he'll look at my
code when he has the time.

> > _My_ point is that the old system is broken, and that IMO Yarrow is a
> > good replacement. (I support my point by noting that Schneier is a far
> > better cryptographer than I, and he designed the algorithm that I
> > implemented).
> Yarrow is a good replacement for /dev/urandom. However it doesn't provide
> features which I believe are necessary, namely the ability to generate
> high-entropy keys of arbitrary size, without severely impacting on PRNG
> performance by constantly reseeding.

Here we must agree to differ. :-)

Yarrow's data _is_ high entropy. It is indistinguishable from "real"
entropy if done right (for the purposes of this argument, I need to
assume that Schneier does it right). Yarrow is "attack oriented",
which is the correct approach if you want your numbers for crypto and
not for (say) science.

Mark Murray
Join the anti-SPAM movement: http://www.cauce.org

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to