Re: RAND_add() and the entropy...

Wed, 14 Nov 2001 10:41:11 -0800 

On Wed, Nov 14, 2001 at 07:01:28PM +0100, Juan Segarra wrote:
> My question relates to the entropy parameter in RAND_add() function and
> the use of it along the command line applications.
> 
> I've observed that nearly all calls to RAND_add() have their entropy set
> to 0. I'm writing some examples about crypto functions and most of them
> need the PRNG being seeded before use and i'm very interested in doing
> this well.
> 
> By now i've been calculating the entropy parameter with Shannon's
> expression (256 possible states) divide by 8. But the way it's handled in
> command line applications confuses me.
> 
> So... what's the meaning of entropy? Or... how can i estimate it?

The entropy parameter should tell, how much "uncertainty" is in the
data provided. With 256 variations per byte you will find a certain number
of possible states for 100bytes, but if the 100bytes are english text,
not all of these possible states have the same probability. You will
find a lot of "e", " ", "a" and only few "ö" symbols. Therefore the
entropy is not the full amount but it is (much) lower.
A good guess about the "informational contents" is the amount that is
left after you run a compression algorithm over the data. You will e.g.
find, that a typical maillog file can be compressed down to 10% of its
original size (depending on the typical events loggted, of course).
One would therefore account only 10% of the original byte count as
entropy.

If you have a phyisical source, you may be able to calculate the entropy
available from this source by phyisical knowledge. When taking input
from a computer you have to guess the number and the compression factor
is one indicator.
If we choose a value of 0, we mean that there may be entropy in it, but
maybe an attacker can predict the value, so we use it but do not count
it as a really unpredictable input.

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to