Re: Using Yarrow in /dev/random

• Next message: Trond Myklebust: "Re: NFS locking bug -- limited mtime resolution means nfs_lock() does not provide coherency guarantee"
• Previous message: Alan Cox: "Re: NFS locking bug -- limited mtime resolution means nfs_lock() does not provide coherency guarantee"
• In reply to: Theodore Y. Ts'o: "Re: Using Yarrow in /dev/random"
• Next in thread: Theodore Y. Ts'o: "Re: Using Yarrow in /dev/random"
• Reply: Theodore Y. Ts'o: "Re: Using Yarrow in /dev/random"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> No, not true. The mixing into the entropy pool uses a twisted LFSR, but
> all outputs from the pool (to either /dev/random or /dev/urandom)
> filters the output through SHA-1 as a whitener. The key here, though,
> and what makes this fundamentally different from yarrow, is that since
> we're feeding the entire (large) entropy pool through SHA-1, even if the
> SHA-1 algorithm is very badly broken (say as in what's been happening
> with MD5), as long as there's sufficient entropy in the pool, the
> adversary can define but minimal information about the pool, since the
> 8192 -> 160 bit transform has to lose information by definition.

Broken ?? Please explain.

        Igmar

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/

• Next message: Trond Myklebust: "Re: NFS locking bug -- limited mtime resolution means nfs_lock() does not provide coherency guarantee"
• Previous message: Alan Cox: "Re: NFS locking bug -- limited mtime resolution means nfs_lock() does not provide coherency guarantee"
• In reply to: Theodore Y. Ts'o: "Re: Using Yarrow in /dev/random"
• Next in thread: Theodore Y. Ts'o: "Re: Using Yarrow in /dev/random"
• Reply: Theodore Y. Ts'o: "Re: Using Yarrow in /dev/random"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Fri Sep 15 2000 - 21:00:19 EST