On 2014-11-22 03:01, d...@deadhat.com wrote:
Rather than me listing "names", why not just let it rip and run your own
randomness tests on it?
Because that won't tell me if you are performing entropy extraction.
Jytter assumes an x86 machine with multiple asynchronous clocks and
nondeterministic physical devices. This is not a safe assumption. Linux
assumes entropy in interrupt timing and this was the result
https://factorable.net/weakkeys12.extended.pdf.
This falls under the third model of source in my earlier email. Your
extractor might look simple, but your system is anything but simple and
entropy extracted from rdtsc and interrupts amounts to squish.
Looking at the timing on your system and saying "it looks random to me"
does not cut it. Portable code has to have a way to know system timing is
random on every platform it runs on. The above paper shows that it isn't.
Jytter does something neat but the broad claims you are making and the
broader claims the Jytter web site makes do not pass the sniff test.
By and large, usually, interrupt timing is somewhat random, and, if not
random, unknowable to the adversary.
But this is not guaranteed, and likely to be untrue if you have several
identical systems, such as routers, which need randomness at boot up.
All your routers are likely to wind up generating keys from a rather
small set of possible keys.
It is extremely easy to get true randomness, or at least randomness
unknowable to the adversary. It is extremely hard to get true
randomness reliably in an unknown or arbitrary system. You really have
to tinker your entropy collection to your situation, to your particular
system.
128 bits of entropy is enough for forever, so the big problem is start up.
A long running system is bound to have plenty of entropy - anything more
than 128 is plenty. So if it writes a unique secret key to each boot up
image, and each boot up has access to a good approximation to the
current time, we are golden.
_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography