David Schwartz wrote:
> > > /dev/random should block if the system does not contain as much
> > real entropy
> > > as the reader desires. Otherwise, the PRNG implementation will be the
> > > weakest link for people who have deliberately selected higher levels of
> > > protection from cryptographic attack.
> > I don't want to rehash this thread from the beginning. Please go
> > back, read the Yarrow paper, and recognise that Yarrow is not an
> > entropy-counter, it is a cryptographically secure PRNG. The "count
> > random bits and block" model does not apply.
>         Then the current implementation cannot provide the usual semantics for
> /dev/random, while it can provide the semantics for /dev/urandom. As I
> understand it, /dev/random is supposed to provide true randomness suitable
> for generating keys of unlimited length, whereas /dev/urandom is supposed to
> provide cryptographically-strong randomness for general applications.
>         If people want /dev/random to seed 1024-bit keys, /dev/random must be
> stronger than a 1024-bit key.

1. The current /dev/random cannot do it, it's less secure 
   than Yarrow for a variety of reasons. So we have a net
   improvement anyway. Thanks Mark.

2. Most people do not want to seed 1024-bit keys as outlined
   in another mail in this thread. If they *understand* the 
   issues involved they will realize that 2^256 complexity
   is plenty uncrackable for all practical purposes. FreeBSD 
   is about practical purposes IMHO.

3. Yarrow can be modified to just do this, should someone
   think this is neccessary. Read the paper and think of
   what happens when you set Pg to 1/(2^(k/3)). (Note that
   the paper restricts this value to 1 <= Pg but that's of
   no importance here.) 
** This is overly conservative for most applications  I can
   think of; Even a multi-million dollar financial 
   transactioning system will be practically secure when Pg 
   is set to 1.

4. Nothing prevents you from adapting Yarrow so that current
   /dev/random semantics are preserved, making Yarrow even
   better. It can be done with the current design it's just
   not very beneficial to do it.

5. Yarrow was designed as a better replacement for most any
   PRNG by a couple of bright cryptographers. Can you do
   better than that?

Jeroen C. van Gelderen          o      _     _         _
[EMAIL PROTECTED]  _o     /\_   _ \\o  (_)\__/o  (_)
                      _< \_   _>(_) (_)/<_    \_| \   _|/' \/
                     (_)>(_) (_)        (_)   (_)    (_)'  _\o_

To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to