> On Jul 22, 2019, at 10:52 AM, Joerg Sonnenberger <jo...@bec.de> wrote:
>
>
> [EXTERNAL EMAIL]
>
> On Sun, Jul 21, 2019 at 09:13:48PM +0000, paul.kon...@dell.com wrote:
>>
>>
>>> On Jul 21, 2019, at 5:03 PM, Joerg Sonnenberger <jo...@bec.de> wrote:
>>>
>>>
>>> [EXTERNAL EMAIL]
>>>
>>> On Sun, Jul 21, 2019 at 08:50:30PM +0000, paul.kon...@dell.com wrote:
>>>> /dev/urandom is equivalent to /dev/random if there is adequate entropy,
>>>> but it will also deliver random numbers not suitable for cryptography
>>>> before that time.
>>>
>>> This is somewhat misleading. The problem is that with an unknown entropy
>>> state, the system cannot ensure that an attacker couldn't predict the
>>> seed used for the /dev/urandom stream. That doesn't mean that the stream
>>> itself is bad. It will still pass any statistical test etc.
>>
>> That's exactly my point. If you're interested in a statistically high
>> quality pseudo-random bit stream, /dev/urandom is a gread source. But
>> if you need a cryptographically strong random number, then you can't
>> safely proceed with an unknown entropy state for the reason you stated,
>> which translates into "you must use /dev/random".
>
> That distinction makes no sense at all to me. /dev/urandom is *always* a
> cryptographically strong RNG. The only difference here is that without
> enough entropy during initialisation of the stream, you can brute force
> the entropy state and see if you get a matching output stream based on
> that seed.
I use a different definition of "cryptographically strong". A bit string
that's guessable is never, by any useful definition, "cryptographically strong"
no matter what the properties of the string extender are. The only useful
definition for the term I can see is as a synonym for "suitable for security
critical value in cryptographic algorithms". An unseeded /dev/urandom output
is not such a value.
RFC 1750 is still a useful resource even though it's 25 years old. There is
newer work by highly respected cryptographers, too.
paul