At 8:35 AM -0700 7/21/99, James A. Donald wrote:
> --
>At 09:24 PM 7/19/99 +0100, Ben Laurie wrote:
>> So what you are saying is that you'd be happy to run your server
>> forever on an inital charge of 128 bits of entropy and no more
>> randomness ever?
>
>Yes, though I would probably prefer an initial charge of 1684 bits of
>entropy. (the number of possible internal states of an RC4 state
>machine used as a pseudo random number generator.)
>
One nice advantage of using RC4 as a nonce generator is that you can easily
switch back and forth between key setup and code byte generation. You can
even do both at the same time. (There is no need to reset the index
variables.) This allows you to intersperse entropy deposits and withdrawals
at will.
In particular, if you deposit the time of each entropy withdrawal, the
proposed denial of service attack that started this thread would actually
replenish a few bits of entropy with each service request.
In addition RC4 is simple, making the code easy to inspect, and about as
fast as you can get in software.
Arnold Reinhold
