Re: Fortuna

From: Theodore Ts'o
Date: Mon Apr 18 2005 - 23:02:43 EST

Next message: Chris Wedgwood: "Re: [PATCH x86_64] Live Patching Function on 2.6.11.7"
Previous message: Stephen Hemminger: "Re: a networking question"
In reply to: David Wagner: "Re: Fortuna"
Next in thread: David Wagner: "Re: Fortuna"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Mon, Apr 18, 2005 at 09:40:37PM +0000, David Wagner wrote:
> Yes, that is a minor glitch, but I believe all their points remain
> valid nonetheless. My advice is to apply the appropriate s/MD5/SHA1/g
> substitution, and re-read the paper to see what you can get out of it.
>
> The problem is not that the paper is shallow; it is not. The source
> of the error is likely that this paper was written by theorists, not
> implementors. There are important things we can learn from them, and I
> think it is worth reading their paper carefully to understand what they
> have to offer.

Since the paper was written by theorists, it appears that they didn't
bother to read the implementation, but instead made assumptions from
the man pages, as well as making the assumption that the man page
(which was not written as a specification from which the code was
implemented, and indeed was not even written by the code authors) was
in fact an accurate representation of drivers/char/random.c.

So section 5.3 is essense a criticism of a straw man implementation
based on a flawed reading of a flawed man page. Other than that, it's
fine. :-)

> I believe they raise substantial and deep questions in their Section 5.3.
> I don't see why you say Section 5.3 is all wrong. Can you elaborate?
> Can you explain one or two of the substantial errors you see?

For one, /dev/urandom and /dev/random don't use the same pool
(anymore). They used to, a long time ago, but certainly as of the
writing of the paper this was no longer true. This invalidates the
entire last paragraph of Section 5.3.

The criticisms of the /dev/random man page do have some point, but the
man page != the implementation. Also, the paper does not so much make
an attack on the entropy estimator, so much as it casts asperions on
it, while at the same time making the unspoken assumption that
cryptographic primitives are iron-clad and unbreakable.

So I don't see any particular substantial deep questions, unless you
count, "It is not at all clear that /dev/random ... provides
information-theoretic security. Indeed, we suspect it sometimes
doesn't" as a deep question. I don't.

- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Chris Wedgwood: "Re: [PATCH x86_64] Live Patching Function on 2.6.11.7"
Previous message: Stephen Hemminger: "Re: a networking question"
In reply to: David Wagner: "Re: Fortuna"
Next in thread: David Wagner: "Re: Fortuna"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]