Followup to: <200008091653.MAA03365@tsx-prime.MIT.EDU>
By author: "Theodore Y. Ts'o" <tytso@MIT.EDU>
In newsgroup: linux.dev.kernel
>
> I think there's something wrong with this analysis. That bit isn't
> appearing out of thin air, it's coming out of the pool. If the attacker
> knew all the inputs to the pool, he'd know that bit as well. So this is
> zero new bits. Otherwise, we could recursively generate arbitrary amounts
> of entropy by calling the PRNG!
>
> I believe Andi was positing the existence of a separate PRNG, and my
> point was that if you are afraid the adversary knows the interrupt
> stream timing perfectly, the only additional "entropy" which is added
> comes from the PRNG. Of course, the PRNG can be at most
> cryptographically strong, which means that it's not really contributing
> any entropy..... which was my point.
>
This is, of course, exactly what /dev/urandom is -- a
cryptographically strong PRNG continually reseeded (when possible)
from the kernel random pool.
-hpa
-- <hpa@transmeta.com> at work, <hpa@zytor.com> in private! "Unix gives you enough rope to shoot yourself in the foot." http://www.zytor.com/~hpa/puzzle.txt- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Aug 15 2000 - 21:00:19 EST