In message <v04011701b3c4f4fbabb1@[24.218.56.100]>, "Arnold G. Reinhold" writes
:
>
> I'd spin it the other way. The best approach to making nonces -- DH
> exponents, symetric keys, etc -- is to use a true source of randomness.
> That eliminates one area of risk. However most computers do not come with
> random number sources, so one uses unpredictable events and so on to glean
> entropy. To harvest that entropy you use a whitener. If you use a
> cryptographic function to do your whitening you get the added advantage of
> shielding the randomness pool from an attacker.
Define "best approach".
>
> Unfortunately, the unpredictable events may be hard to characterize and
> could conceivably be subject to external control. Also they may not be able
> to keep up with peak demand for nonces. As the originator of this thread
> pointed out, that can even be the basis of a denial of service attack. But
> if you design your whitener right, whenever there is a problem with the
> entropy feed, it will gracefully degrades into a cryptographic PNRG while
> still using whatever scraps of entropy you send it.
As you note, unpredictable events may not be that unpredictable. The
advantage of a PRNG is that its behavior doesn't change due to, say,
environmental influences or circuit component aging. That means that they're
not "best" against certain threats, if your PRNG is good enough and
well-seeded enough. A sound design mixes both.
