When is the blocking RNG called?

Sam Roberts sroberts at uniserve.com
Thu Nov 23 23:54:23 CET 2000 

Quoting Enzo Michelangeli <em at who.net>, who wrote:
> This will work, but I tend to see it as overkill. I'm pretty happy with a
> PRNG for just every task, as long as two conditions be satisfied:
> 
> 1) It must be impossible to guess its future output without knowing its
> internal state
> (which implies: 1.1 It must be impossible to guess its internal state from
> its output)
> 2) The PRNG is initially seeded with a sufficient amount of entropy
> 
> In this case, the generator is as good as a true RNG. It may be prudent to
> be more conservative because the condition 1) is difficult to ascertain, but
> under the theoretical point of view it is impossible to "deplete the entropy
> pool" of a good PRNG by just extracting bits, because entropy is only
> reduced when information on the internal state is gained, and that's
> excluded by 1.1 .

That's my understanding as well.

> The most serious problem is the initial seeding required by 2): it can only
> be ensured efficiently if the generator is run as a separate daemon process.

That's not true, there's nothing a user space process can't do that a
kernel driver can't do as well, particularly when entropy isn't introduced
by software, only by unpredictable external events, better detected in
the kernel, anyway.

> I would favour a third type of pseudo-device, say /dev/xrandom, behaving
> like /dev/random until it had gathered enough entropy, then changing its
> behaviour to emulate /dev/urandom. That could be also implemented in EGD.

This would be trivial to implement in the Linux/BSD random driver, if you
looked you could just do it.

Also, you can always make a /dev/random with the same minor
number as /dev/urandom and if you wait until you've been typing a few
minutes, you'll know you have enough entropy in the pool to be a decent
seed for the pool.

> The new Java iButton DS1957 (USD 27. a piece) has a built-in PRNG, which
> also allows it to generate keys internally (a plus for security). Dallas for
> it has serial, parallel and USB adapters at very reasonable prices (USD 5.),
> and free PKCS#11 drivers.

Is it just a PRNG, or does it have a source of true/physical entropy
that it uses as a seed for a PRNG?

Sam

-- 
Sam Roberts <sroberts at uniserve.com> (http://www.emyr.net/Sam)

More information about the Gnupg-devel mailing list