> On Jul 21, 2019, at 5:03 PM, Joerg Sonnenberger <jo...@bec.de> wrote:
>
>
> [EXTERNAL EMAIL]
>
> On Sun, Jul 21, 2019 at 08:50:30PM +0000, paul.kon...@dell.com wrote:
>> /dev/urandom is equivalent to /dev/random if there is adequate entropy,
>> but it will also deliver random numbers not suitable for cryptography before
>> that time.
>
> This is somewhat misleading. The problem is that with an unknown entropy
> state, the system cannot ensure that an attacker couldn't predict the
> seed used for the /dev/urandom stream. That doesn't mean that the stream
> itself is bad. It will still pass any statistical test etc.
That's exactly my point. If you're interested in a statistically high quality
pseudo-random bit stream, /dev/urandom is a gread source. But if you need a
cryptographically strong random number, then you can't safely proceed with an
unknown entropy state for the reason you stated, which translates into "you
must use /dev/random".
> Note that with the option of seeding the CPRNG at boot time, a lot of
> the distinction is actually moot.
Yes, if at boot time you get enough entropy then /dev/random is unblocked. The
distinction still matters because an application can't know this, so it should
express its requirements by choosing the correct device.
paul
