At 02:42 PM 1/26/02 -0600, cameron wrote:
>Can someone tell me what the system entopy pool is (and maybe how it
works) or
>direct me to some documentation on it?
If you've ever written a program in C (or C++, or a similar language) that
used random numbers, then you're probably familiar with the need for a
"seed" value for a pseudo-random number generator. If you seed a PRNG with
the same value every time, it will produce the same sequence of numbers
every time (not very random is it?). For a lot of applications it's
considered a Good Thing(tm) to seed the PRNG with the current time when the
program is started, but for cryptographic purposes this sucks. If you
generate a key pair based on the output of a PRNG seeded with the current
time then all a person has to do in order to guess your private key is grab
a copy of the same encryption program (so he has the same pseudo-random
number generator) and start guessing as to what time you ran the program.
The attacker only needs to cover a period of a few weeks or months (at
most) and typically only at 1-second resolution, so should be able to get
the correct key within a matter of seconds on a good computer. Clearly this
is not the sort of security you want for a "secure" web connection over SSL
or the SSH shell you're using for remote root access. . .
The purpose of the entropy pool is to store up measurements of
unpredictable data (hardware interrupt timings, etc.) for use as seed
values when generating random numbers for applications (like SSH and SSL)
where it's important to have really random numbers.
I'd suggest you drop by your local library and look at books relating to
cryptography. The math can get a little intense, but if you don't balk at
things like modular arithmetic and finite field theory and you should be
fine. Most such books will also have a section on random number generators,
and most good (often called "hybrid") random number generators rely on an
entropy pool.
If you can't find anything that suits you I can e-mail you a copy of a
paper I wrote on random number generators last year (mind you it was a term
paper, not a serious research paper).
You can usually also find stuff related to random number generation in
advanced statistics books (anything that deals with "Monte Carlo"
techniques), but they tend to concentrate on tests of randomness and
pseudo-random numbers, whereas an entropy pool is concerned with producing
real random numbers.
About the only really useful thing I got out of all this research was to
learn that all cryptosystems written in Java (using Java's random number
generator) are very, very easy to crack.
--
"Of course, Linux has become userfriendly. See, you can now click
buttons. But the thing is you don't feel like clicking them".
- Naba kumar
_______________________________________________
Redhat-list mailing list
[EMAIL PROTECTED]
https://listman.redhat.com/mailman/listinfo/redhat-list
