howto secure older keys after the recent attacks

Doug Barton dougb at dougbarton.us
Tue Sep 22 21:40:45 CEST 2009 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: RIPEMD160

David Shaw wrote:
> There are occasional debates on who has the better PRNG.  The debates
> usually end with no changes on either side :)
> 
> That isn't to say there aren't differences between systems - the FreeBSD
> PRNG (which seems to have been inherited by OSX) is of a fairly
> different construction than the Linux one, which has led to some mild
> controversy in the past.  Notably, the Linux one blocks if you run out
> of gathered entropy, and the FreeBSD one does not.  FreeBSD /dev/random
> is similar to Linux's /dev/urandom.

That description is not quite accurate. FreeBSD (and OSX, which
actually inherited quite a bit of userland and other bits from
FreeBSD) uses the Yarrow PRNG. Here is an excerpt from the wikipedia
/dev/random article:

	Yarrow places a lot of emphasis on avoiding any pool
	compromise and on recovering from it as quickly as possible.
	It is regularly reseeded; on a system with small amount of
	network and disk activity, this is done after fraction of a
	second.

http://en.wikipedia.org/wiki//dev/random

So while it is correct to say that like a traditional SysV
/dev/urandom our /dev/random does not block (except in extraordinary
circumstances, unlikely to happen in any real world application), it
is not correct to say that it continues handing out bits of dubious
quality when it "runs out of entropy." (I realize that is not
specifically what you said David, but since at least one reader seems
to have come to that conclusion based on what you did say so I felt
compelled to respond.)

As the wikipedia article also points out we have support for hardware
entropy devices as well so anyone doing "heavy duty" crypto stuff has
that option available. But for the casual user our current system is
more than enough.

And yes, I realize that this is an area of debate, which is why I
purposely included your first quote above in my reply. :) My purpose
is not to debate which is "better," rather to bring some light to the
topic of what we're actually doing.

Anyone interested in more details about Yarrow can read the paper at
http://www.schneier.com/paper-yarrow.html.


hth,

Doug (aka dougb at FreeBSD.org)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.13 (FreeBSD)

iEYEAREDAAYFAkq5KD0ACgkQyIakK9Wy8Pv8dwCeMbTkNlTvaK2Npz7acx3zlzCW
pxEAoMaj4NhMmoX9xu5c9d4MThuVjTT8
=MsTX
-----END PGP SIGNATURE-----

More information about the Gnupg-users mailing list