At 9:45 AM -0700 7/28/99, bram wrote:
>On Tue, 27 Jul 1999, Eugene Leitl wrote:
>
>> So what's the magic with the entropy pool? Because current algorithms
>> don't have enough state, and because the hidden structure of their
>> pseudorandomness starts shining through after a while?
>
>The idea is to make it so that if there is a failure, and an attacker does
>find out what the internal state of the pool is, it won't be useful for
>long.
>
I'd spin it the other way. The best approach to making nonces -- DH
exponents, symetric keys, etc -- is to use a true source of randomness.
That eliminates one area of risk. However most computers do not come with
random number sources, so one uses unpredictable events and so on to glean
entropy. To harvest that entropy you use a whitener. If you use a
cryptographic function to do your whitening you get the added advantage of
shielding the randomness pool from an attacker.
Unfortunately, the unpredictable events may be hard to characterize and
could conceivably be subject to external control. Also they may not be able
to keep up with peak demand for nonces. As the originator of this thread
pointed out, that can even be the basis of a denial of service attack. But
if you design your whitener right, whenever there is a problem with the
entropy feed, it will gracefully degrades into a cryptographic PNRG while
still using whatever scraps of entropy you send it.
Arnold Reinhold
