>One of the problems is for example to get a suitably random number
>soon after booting an embedded device, without external activity.
>A PRNG is no good here - the sampling occurs at quite predictable
>time since the power was applied.

Yes, that's why Andy needs to check multiple samples gathered after a reset
or power on :), not just an auto-correlation function, the hardware PRNG
could just have a long period.

And I certainly have used processors where these tricks won't work, but
again, those were so basic that running OpenSSL wouldn't be an option.

>Well if this assumption breaks the RNGs will be probably the least
>thing to worry about ;)

There have been attacks demonstrated on quantum communications systems
which rely on blinding the detectors - so even without threatening the
stability of the universe :), attacks on what we currently consider to be
really 'random' events have already been demonstrated, that's why I don't
consider this to be instrinsically much worse than using a 'real' hardware
source.  With access to the hardware you can probably mess up devices
relying on shot noise or simillar anyway.

He just needs to be sure that the initial state isn't predictable, the
distribution is reasonable and that he can detect failures of the source.


Peter




From:   Stanislav Meduna <st...@meduna.org>
To:     openssl-dev@openssl.org
Date:   18/01/2012 11:21
Subject:        Re: OS-independent entropy source?
Sent by:        owner-openssl-...@openssl.org



On 17.01.2012 23:55, Peter Waltenberg wrote:

> I think my point is valid though - even if it is a PRNG, provided it's a
> good one (and distribution will tell you that) if an attacker can't tell
> exactly when you are sampling the PRNG effectively it's a usable entropy
> source.

One of the problems is for example to get a suitably random number
soon after booting an embedded device, without external activity.
A PRNG is no good here - the sampling occurs at quite predictable
time since the power was applied.

For a typical OpenSSL usage you are probably right, at least if you
are able to save the gathered entropy across reboots.

> The same is true of events we consider to be really random - i.e.
> radioactive material, thermal shot noise - the real situation may simply
be
> that we don't yet know enough at present  to be able to predict when an
> indivdual nucleus will decay - that doesn't mean that'll always be true

Well if this assumption breaks the RNGs will be probably the least
thing to worry about ;)

--
                                        Stano
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to