On 9/19/23 01:36, Roberto A. Foglietta wrote:
On Tue, 19 Sept 2023 at 03:25, Michael Conrad
<mcon...@intellitree.com> wrote:
On 9/18/23 06:14, Guillermo Rodriguez Garcia wrote:
everything is compressed with gzip -7. This is the worst
scenario.
However, even in the worst scenario due to gzip one single bit of
difference in the input generates a completely different
compressed
output:
Compression (or any other deterministic manipulation of data)
does not add any entropy (or "unpredictability") since the
processing is 100% reproducible.
In terms of entropy the output of the function is as good (or as
bad) as the amount of entropy in the initial seed.
Hi Michel,
Even aside from that, using gzip as some sort of hash function is
not going to be anywhere near as good as using an actual hash
function, like sha256, sha1 or even md5.
PREMISE
Hashing functions and compression algorithms are two completely
different kinds of mathematical tools. The most obvious difference is that
That's a very large response so I'm not sure which part to quote, but I
think you're still missing the point. Assuming your initialization of
randomness is meant to stop people from guessing the RSA/SSL keys you
generate on a small low-power device during startup scripts, the
attacker will probably have a copy of your device and be able to replay
any of the steps you take during your startup script. It will not
matter whether you took a few random bits and a large static text and
ran it through pigz before feeding it to /dev/urandom, because the
attacker will start with guesses of the same few bits and also run them
and that same static text through pigz to potentially get the same
output. If they mirror your initialization of /dev/urandom, then they
can try to guess your RSA keys. The only defense is having more actual
bits of entropy, or preserving them from a previous boot in a manner
that the attacker can't read.
My comment about hashing functions was implying that they would be used
repeatedly, not that the entire input would be condensed into one single
hash. Yes there is a reduction of entropy if you feed a hash function
more than 20 bytes of data and only get 20 out of it. My point was that
no hashing or compression is needed, because the kernel RNG is itself a
sort of hash function and should handle that. Just feed it the raw
input bytes.
-Mike
_______________________________________________
busybox mailing list
busybox@busybox.net
http://lists.busybox.net/mailman/listinfo/busybox