>One of the problems is for example to get a suitably random number >soon after booting an embedded device, without external activity. >A PRNG is no good here - the sampling occurs at quite predictable >time since the power was applied.
Yes, that's why Andy needs to check multiple samples gathered after a reset or power on :), not just an auto-correlation function, the hardware PRNG could just have a long period. And I certainly have used processors where these tricks won't work, but again, those were so basic that running OpenSSL wouldn't be an option. >Well if this assumption breaks the RNGs will be probably the least >thing to worry about ;) There have been attacks demonstrated on quantum communications systems which rely on blinding the detectors - so even without threatening the stability of the universe :), attacks on what we currently consider to be really 'random' events have already been demonstrated, that's why I don't consider this to be instrinsically much worse than using a 'real' hardware source. With access to the hardware you can probably mess up devices relying on shot noise or simillar anyway. He just needs to be sure that the initial state isn't predictable, the distribution is reasonable and that he can detect failures of the source. Peter From: Stanislav Meduna <st...@meduna.org> To: openssl-dev@openssl.org Date: 18/01/2012 11:21 Subject: Re: OS-independent entropy source? Sent by: owner-openssl-...@openssl.org On 17.01.2012 23:55, Peter Waltenberg wrote: > I think my point is valid though - even if it is a PRNG, provided it's a > good one (and distribution will tell you that) if an attacker can't tell > exactly when you are sampling the PRNG effectively it's a usable entropy > source. One of the problems is for example to get a suitably random number soon after booting an embedded device, without external activity. A PRNG is no good here - the sampling occurs at quite predictable time since the power was applied. For a typical OpenSSL usage you are probably right, at least if you are able to save the gathered entropy across reboots. > The same is true of events we consider to be really random - i.e. > radioactive material, thermal shot noise - the real situation may simply be > that we don't yet know enough at present to be able to predict when an > indivdual nucleus will decay - that doesn't mean that'll always be true Well if this assumption breaks the RNGs will be probably the least thing to worry about ;) -- Stano ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org