Nico Williams wrote:
> >
> > 2) Is ideal but adds to hardware cost. Unless that is someone can work
> > out a cheap way to get random data into a D/A port or other I/O pin.
>
> A floating D/A input will do. Also, CPUs can implement an RNG
> relatively cheaply. Sun did it in UltraSPARC CPUs, and Intel does it
> now in theirs.
I believe that a purely software-based high quality seeding of
a CPRNG is not that difficult, but a lot of implementations are
not going a very (efficient) job here.
What is randomness/entropy? It is "un-predictability".
In order to create good seeds and reseeds, you have to
(a) find events that can not be predicted
with 100% accuracy at 100% of the time and
(b) collect enough of those events and compress them without
killing too much of the entropy during compression.
1 Bit of entropy for an event means that it can be predicted with
100% accuracy at most 50% of the time.
0.1 Bit of entropy for an event means that can be predicted with
100% accuracy at most 95% of the time.
The "difficult" part is figuring out possible event sources,
sampling, them and making a very conservative assessment about the
actual amount of randomness in an event (or more precisely in the
delta between two events of the same type).
In order to create a seed with an estimated 128 Bits of entropy
for your CPRNG entropy pool, you would collect at least 1280 0.1-Bit
events or 128 1-Bit events, put them into an array and use a cryptographic
hash as a compression function, preferably a hash with 2x larger output
size than the amount of assumed combined entropy/randomess in the
collected events.
In typical PCs, workstations & servers you find plenty of "events"
that can be used. It may be more difficult for embedded devices, where
there is *much* less concurrency inside the device itself. But as soon
as there is some hardware media attached to such a device (LAN or WLAN),
or a harddisk with physical platters, there should be an event source
available, and if the hardware supports any high resolution counter
(a millisecond or better), such events can be sampled.
An IMHO poor source of entropy is a mouse moved by a human user.
It's actually confusing to see how popular mouse-moves seem to
be for by key-generation programs for PCs, where *MUCH* better
sources of randomness are available that can collect at least
as good entropy without bothering the user.
-Martin
_______________________________________________
therightkey mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/therightkey
