Re: Fortuna

[David Wagner]

Theodore Ts'o  wrote:
>For one, /dev/urandom and /dev/random don't use the same pool
>(anymore).  They used to, a long time ago, but certainly as of the
>writing of the paper this was no longer true.  This invalidates the
>entire last paragraph of Section 5.3.

Ok, you're right, this is a serious flaw, and one that I overlooked.
Thanks for elaborating.  (By the way, has anyone contacted to let them
know about these two errors?  Should I?)

I see three remaining criticisms from their Section 5.3:
1) Due to the way the documentation describes /dev/random, many
   programmers will choose /dev/random by default.  This default
   seems inappropriate and unfortunate.
2) There is a widespread perception that /dev/urandom's security is
   unproven and /dev/random's is proven.  This perception is wrong.
   On a related topic, it is "not at all clear" that /dev/random provides
   information-theoretic security.
3) Other designs place less stress on the entropy estimator, and
   thus are more tolerant to failures of entropy estimation.  A failure
   in the entropy estimator seems more likely than a failure in the
   cryptographic algorithms.
These three criticisms look right to me.

Apart from the merits or demerits of Section 5.3, the rest of the paper
seemed to have some interesting ideas for how to simplify and possibly
improve the /dev/random generator, which might be worth considering at
some point.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/