Antoon Pardon <[EMAIL PROTECTED]> writes: > > No the idea is that once there's enough entropy in the pool to make > > one encryption key (say 128 bits), the output of /dev/urandom is > > computationally indistinguishable from random output no matter how > > much data you read from it. > > If you were talking about /dev/random I would agree. But this is what > the man page on my system says about /dev/urandom. ... > the returned values are theoretically vulnerable to a > cryptographic attack on the algorithms used by the driver.
Right. The idea is that those attacks don't exist and therefore the output is computationally indistinguishable from random. Of course whether the idea is correct, an unproven conjecture, but it looks pretty good; certainly finding any problem with the specific algorithms in urandom would be a significant research discovery and not likely to affect the application being discussed. Finding a general attack that couldn't be fixed with some simple tweak would be a major crypto breakthrough that would probably reshape a lot of complexity theory. This is unlike the situation with Mersenne Twister, which was not designed for indistinguishability against an opponent who knew what to look for. In short, using /dev/random is fairly silly once you know there's enough entropy in the randomness pool to make a good key. If /dev/urandom's algorithms are broken then whatever you're doing with the /dev/random output is probably also broken. -- http://mail.python.org/mailman/listinfo/python-list
