lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTik+QbqYCvD44XAUP_3xfG4tOLwZE7yE3rJOgv-K@mail.gmail.com>
Date: Fri, 24 Dec 2010 16:27:23 -0800
From: coderman <coderman@...il.com>
To: Marsh Ray <marsh@...endedsubset.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: how i stopped worrying and loved the backdoor

On Fri, Dec 24, 2010 at 1:53 AM, Marsh Ray <marsh@...endedsubset.com> wrote:
> ...
> So there are these many hundreds of lines of entropy management code in
> OpenBSD implementing what is claimed to be a novel architecture for random
> number generation and yet this guy, who is going around giving talks on it,
> is expecting someone else to quantify it and "come forward with a paper"?

given the OpenBSD architecture and entropy consumption the performance
and characteristics of random number generation and use is very
context and architecture specific. while i agree this guy should have
access to either his own or remotely accessible compatibility test
cluster, he clearly is lacking applied test and measurement with
sufficient detail "for a paper".

in any case, did i mention good entropy is hard? :)



> The burden of proof lies with the "amateur cryptographers" making the
> security claims about it, not those questioning them.

sure. perhaps the most frequent misconception is the model around
entropy consumption in OpenBSD vs. most other unix and windows
variants. OpenBSD in particular assumes significant and sustained use
of random numbers in across kernel and userspace domains.

this is a distinction conveniently negligible if you've got fast true
random hardware entropy sources available.

speaking of Cassandra complex, coming up on a decade of hw entropy
advocacy [0] and still about the same level of progress as IPv6 core
deployment...  how many of you have a competent userspace entropy
daemon funneling hardware sources into host pool?

  *grin*


0. VIA Padlock C5XL, C5P XSTORE
   http://www.mail-archive.com/openssl-dev@openssl.org/msg18264.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ