Re: how i stopped worrying and loved the backdoor

[Marsh Ray <marsh () extendedsubset com>]

On 12/25/2010 04:47 PM, coderman wrote:
> a torrent of raw output is preferable to a smaller stream of whitened,
> "more random" bits. there are a million kitschy ways to collect
> entropy like lava lamp cams and Bernoulli effects across your spinning
> disks.

Yes, and this is why professional cryptographers always leave the room 
as soon as the topic of entropy collection comes up: it inevitably ends 
up with a lot of amateurs arguing about the relative merits of diode 
junctions vs hamster cams.

(oh yeah, I went there) http://www.youtube.com/watch?v=a1Y73sPHKxw

There have been some high-profile breaks because of insufficient 
entropy, for example Netscape Navigator (Wagner 1996) and Debian OpenSSL 
(CVE-2008-0166). But those were total boneheaded screwups, I'm not aware 
of any cases where the implementers did halfway competent job of 
estimating entropy input, seeding with at least 128 bits of it before 
key generation, and the resulting system was broken. Somebody come up 
with some examples.

So I'm not convinced that "entropy collection is hard".

I think it's probably more accurate to say:
* Accurate estimation of collected entropy is hard
* Gathering entropy quickly after power-on in WRT-54G hardware is hard
* Communicating the assumptions of sufficient entropy made by other 
parts of the system is hard.

This is important to get right because when people hear "entropy 
collection is hard" they become willing to throw common sense to the 
wind and adopt cures which are worse than the disease. E.g. OpenBSD 
substituting RC4 keyed by 64Kbit LFSRs for an established design.

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/