[Cryptography] Random numbers only once

ianG iang at iang.org
Tue Feb 4 02:03:21 EST 2014 

On 4/02/14 08:12 AM, Watson Ladd wrote:
> As DJB pointed out on another listhost, one only needs 256 random bits
> once, and can then use a PRF to generate an indefinite number forever.
> Why does /dev/random not do this and so avoid blocking after startup?

There is a historical perspective here, where schools of thought have
shifted.



Back in the 1990s we all believed in entropy as the important target.
Recall the old PGP instructions to bash on the keyboard...  It was
thought that this was 'the way' to create sufficient unpredictability
for keys.

But this proved too hard.  Collecting lots of entropy is a target that
only gets reached in a smaller number of circumstances.  VMs, phones,
servers, embedded, users, GUIs, etc, have trouble.

Then, some bright spark (not sure who) pointed out that as we are in
security, we only need to provide RNs that are unpredictable *to the
attacker*.  Not to us.

This is a strictly weaker target than entropy.  It takes a while to wrap
ones head around this shifting of the goal posts.

So, given this strictly weaker target, how to do?  Well, it turns out
this is relatively easy:  use a stream cipher, and see it with a small
amount of entropy.

Now the task has become:  collect a /small/ amount of entropy, say 256
bits, and seed a /big/ cipher stream.  (DJB would say salsa/chacha and I
agree.)



Which has rather dramatic ramifications on the API.  Now back to Linux.
 It views the old school, and says "if you want entropy, use /dev/random
and if not, use /dev/urandom."  The problem here is that because it is
promising an entropy target, it needs to cope with blocking, etc.

In contrast FreeBSD shifted across a decade or so ago and tied them both
together as a PRNG.  You can't get entropy any more, you can only get
the output of the PRNG.  Which is sufficient, and it works far better.

As nobody has been able to explain why we need real entropy in general
[0], this is actually the better choice.

Philosophical Question for Linux is then, why are they still bothering
with the old school entropy thing?  It's too hard.



I say more here:
http://iang.org/ssl/hard_truths_hard_random_numbers.html



> It wouldn't be that hard to write to a defined block of a disk image
> these 32 random bytes.


I think the daemon does that, right?

iang



[0] Until that is RDRAND came along, and the PRNG suddenly wasn't
suitable :)

More information about the cryptography mailing list