Ugh, sorry to follow up to myself, but I got a key part of this wrong. Russ Allbery <r...@debian.org> writes:
> At least based on my understanding of the theory, I think that mixing a > backdoored entropy source with other entropy sources in a random number > generator like Fortuna (which is based on the AES block cipher in > counter mode) would make it quite difficult for an attacker with > knowledge of the back door to exploit that knowledge. Fortuna does indeed use AES in counter mode to generate the random number stream, but it uses SHA-256 to mix in entropy. This is the primary defense against a backdoored entropy source (like the hardware random number generator, if one is concerned that it has a back door): mixing it with other entropy sources using a one-way hash like SHA-256 should mean that any one entropy source cannot *decrease* the total entropy of the system when added to other entropy sources, assuming SHA-256 functions correctly as a cryptographic hash. > I don't know enough about the exact algorithm behind /dev/random to be > sure that the same is true for it, but I would hope that it is. > (Although Wikipedia says that it's hash-based, which would probably make > it quite a bit slower than Fortuna since hashes are slower than block > ciphers.) Fortuna is also hash-based in that sense (it uses a hash to mix in entropy), so I should say that I don't know any of the details of the difference between it and /dev/random. -- Russ Allbery (r...@debian.org) <http://www.eyrie.org/~eagle/> -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: https://lists.debian.org/877g4lwh5m....@windlord.stanford.edu