Re: /dev/random is probably not

[Darren Reed <avalon () caligula anu edu au>]

In some mail from exon, sie said:
>   * If this estimate goes to zero, the routine can still generate
>   * random numbers; however, an attacker may (at least in theory) be
>   * able to infer the future output of the generator from prior
>   * outputs.  This requires successful cryptanalysis of SHA, which is
>   * not believed to be feasible, but there is a remote possibility.
>   * Nonetheless, these numbers should be useful for the vast majority
>   * of purposes.

> Judging by nmap evaluation of the ip-stack, OpenBSD and FreeBSD have 
> very strong PRNG's as well. I haven't got access to a NetBSD system to 
> test with.

nmap is not a good measure of this problem.

Linux cited using keyboard interrupts.  How many of those happen on
a web server in a rack, in an air conditioned computer room somewhere ?
How many happen when you open up your web browser and select your
internet banking web site from your bookmarks?

The original email pointed out that disk seek times may not be quite
as random as previously thought, especially with compact flash and
similar mediums.

In the case of polled I/O (for 1Gb+ NICs), is there any entropy
gained from network IRQ serving?

What the original article was getting at is that perhaps not all of
the information you think of as random information going into your
PRNG is actually random.  If that happens then even though the
output of the PRNG "looks random", it may be predictable.

Darren