lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4D179778.20609@extendedsubset.com>
Date: Sun, 26 Dec 2010 13:28:56 -0600
From: Marsh Ray <marsh@...endedsubset.com>
To: coderman <coderman@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: how i stopped worrying and loved the backdoor

On 12/25/2010 04:47 PM, coderman wrote:
>
> a torrent of raw output is preferable to a smaller stream of whitened,
> "more random" bits. there are a million kitschy ways to collect
> entropy like lava lamp cams and Bernoulli effects across your spinning
> disks.

Yes, and this is why professional cryptographers always leave the room 
as soon as the topic of entropy collection comes up: it inevitably ends 
up with a lot of amateurs arguing about the relative merits of diode 
junctions vs hamster cams.

(oh yeah, I went there) http://www.youtube.com/watch?v=a1Y73sPHKxw

There have been some high-profile breaks because of insufficient 
entropy, for example Netscape Navigator (Wagner 1996) and Debian OpenSSL 
(CVE-2008-0166). But those were total boneheaded screwups, I'm not aware 
of any cases where the implementers did halfway competent job of 
estimating entropy input, seeding with at least 128 bits of it before 
key generation, and the resulting system was broken. Somebody come up 
with some examples.

So I'm not convinced that "entropy collection is hard".

I think it's probably more accurate to say:
* Accurate estimation of collected entropy is hard
* Gathering entropy quickly after power-on in WRT-54G hardware is hard
* Communicating the assumptions of sufficient entropy made by other 
parts of the system is hard.

This is important to get right because when people hear "entropy 
collection is hard" they become willing to throw common sense to the 
wind and adopt cures which are worse than the disease. E.g. OpenBSD 
substituting RC4 keyed by 64Kbit LFSRs for an established design.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ