On Fri, 2013-07-19 at 10:42 -0700, Andy Isaacson wrote: > On Fri, Jul 19, 2013 at 01:17:51PM +0100, Michael Rogers wrote: > > On 19/07/13 13:03, KheOps wrote: > > > Just came accross this article, apparently showing the bad quality > > > of the hardware RNG in Raspberri Pi devices. > > > > > > http://scruss.com/blog/2013/06/07/well-that-was-unexpected-the-raspberry-pis-hardware-random-number-generator/ > > > > > > Quite interesting since (pseudo-) random numbers are heavily used > > > in crypto. Interesting also to see another post on this topic, > > > after the study of a random number generation procedure formerly > > > used in Cryptocat and that was also problematic. > > > > Is that what the article shows? Looks to me like the Raspberry Pi's > > hardware RNG (/dev/hwrng) is being held up as an example of 'good > > randomness' in contrast to the RANDU algorithm's 'bad randomness'. > > Regardless of the quality of the HW RNG on RPI, it's not good to expose > the entropy directly to userspace in /dev/hwrng. Rather, the RPI kernel > should mix the entropy into the kernel entropy pool and apps should use > /dev/random to get high-quality entropy mixed from all available entropy > sources. That way even if an attacker has a backdoor to the HW RNG, > the user still has a second line of defense due to the other > unpredictable data mixed into the same pool.
And there's a daemon for this: apt-get install rng-tools -- Mathematics is the supreme nostalgia of our time. -- Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech