On 12/25/2010 04:47 PM, coderman wrote: > > a torrent of raw output is preferable to a smaller stream of whitened, > "more random" bits. there are a million kitschy ways to collect > entropy like lava lamp cams and Bernoulli effects across your spinning > disks.
Yes, and this is why professional cryptographers always leave the room as soon as the topic of entropy collection comes up: it inevitably ends up with a lot of amateurs arguing about the relative merits of diode junctions vs hamster cams. (oh yeah, I went there) http://www.youtube.com/watch?v=a1Y73sPHKxw There have been some high-profile breaks because of insufficient entropy, for example Netscape Navigator (Wagner 1996) and Debian OpenSSL (CVE-2008-0166). But those were total boneheaded screwups, I'm not aware of any cases where the implementers did halfway competent job of estimating entropy input, seeding with at least 128 bits of it before key generation, and the resulting system was broken. Somebody come up with some examples. So I'm not convinced that "entropy collection is hard". I think it's probably more accurate to say: * Accurate estimation of collected entropy is hard * Gathering entropy quickly after power-on in WRT-54G hardware is hard * Communicating the assumptions of sufficient entropy made by other parts of the system is hard. This is important to get right because when people hear "entropy collection is hard" they become willing to throw common sense to the wind and adopt cures which are worse than the disease. E.g. OpenBSD substituting RC4 keyed by 64Kbit LFSRs for an established design. - Marsh _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
