Re: /dev/random is probably not

2005-07-05 Thread John Kelsey
>From: "Charles M. Hannum" <[EMAIL PROTECTED]> >Sent: Jul 3, 2005 7:42 AM >To: Don Davis <[EMAIL PROTECTED]> >Cc: cryptography@metzdowd.com >Subject: Re: /dev/random is probably not ... >Also, I don't buy for a picosecond that you have to gather >&

Re: /dev/random is probably not

2005-07-05 Thread John Denker
On 07/03/05 15:19, Dan Kaminsky wrote: > So the funny thing about, say, SHA-1, is if you give it less than 160 > bits of data, you end up expanding into 160 bits of data, but if you > give it more than 160 bits of data, you end up contracting into 160 bits > of data. This works of course for any

Re: /dev/random is probably not

2005-07-05 Thread Dan Kaminsky
So the funny thing about, say, SHA-1, is if you give it less than 160 bits of data, you end up expanding into 160 bits of data, but if you give it more than 160 bits of data, you end up contracting into 160 bits of data. This works of course for any input data, entropic or not. Hash saturation?

Re: /dev/random is probably not

2005-07-05 Thread Charles M. Hannum
On Sunday 03 July 2005 05:21, Don Davis wrote: > > From: "Charles M. Hannum" <[EMAIL PROTECTED]> > > Date: Fri, 1 Jul 2005 17:08:50 + > > > > While I have found no fault with the original analysis, > > ...I have found three major problems with the way it > > is implemented in current systems. >

Re: /dev/random is probably not

2005-07-05 Thread Florian Weimer
* Jason Holt: > You may be correct, but readers should also know that, at least in Linux: > > /usr/src/linux/drivers/char/random.c: > * All of these routines try to estimate how many bits of randomness a > * particular randomness source. They do this by keeping track of the > * first and se

Re: /dev/random is probably not

2005-07-01 Thread Jason Holt
On Fri, 1 Jul 2005, Charles M. Hannum wrote: Most implementations of /dev/random (or so-called "entropy gathering daemons") rely on disk I/O timings as a primary source of randomness. This is based on a CRYPTO '94 paper[1] that analyzed randomness from air turbulence inside the drive case. I

Re: /dev/random is probably not

2005-07-01 Thread John Denker
On 07/01/05 13:08, Charles M. Hannum wrote: Most implementations of /dev/random (or so-called "entropy gathering daemons") rely on disk I/O timings as a primary source of randomness. ... I believe it is readily apparent that such exploits could be written. So don't do it that way. Vastly b

Re: /dev/random is probably not

2005-07-01 Thread Sidney Markowitz
Charles M. Hannum wrote: > Most implementations of /dev/random (or so-called "entropy gathering > daemons") > rely on disk I/O timings as a primary source of randomness This is not a new or unconsidered problem. Disk caching has always been a factor in disk I/O. /dev/random uses multiple sources

/dev/random is probably not

2005-07-01 Thread Charles M. Hannum
Most implementations of /dev/random (or so-called "entropy gathering daemons") rely on disk I/O timings as a primary source of randomness. This is based on a CRYPTO '94 paper[1] that analyzed randomness from air turbulence inside the drive case. I was recently introduced to Don Davis and, bein