[onerng talk] What is the entropy generation rate of the OneRNG?
Paul Campbell
paul at taniwha.com
Thu Aug 20 00:04:02 BST 2015
On Wed, 19 Aug 2015 23:24:14 ianG wrote:
> The RNG should be feeding the "entropy" in as a seed into the PRNG, so
> there should be no limit to the output other than as you say context
> switching and PRNG machinations.
>
> *BSD works that way, I think Linux is a bit more complicated, it's still
> working on the old school way of trying to measure entropy and feed out
> some similar claim of entropy, before switching to PRNG.
Linux essentially provides both services:
/dev/random is a flow controlled PRND that produces data at the same rate that
new entropy is mixed into it's pool, it stops when it's entropy count is 0
/dev/urandom works exactly the same way except it doesn't stop the PRNG when
entropy hits 0 - most code should use /dev/urandom
------------------------------------------------------------------------
The way I see the problem is that the PRNG has some hidden state that an
external attacker is trying to guess (to predict future, or maybe past values)
every time we extract a random number from it and expose it to the world (TCP
sequence numbers etc) we give away a tiny amount of information about its
internal state, if we don't continually mix in some entropy long term an
attacker can accumulate information - we don't have to stir in more entropy
for every bit we take out to be functional but regular applications makes
guessing the internal state continually hard
Paul
More information about the Discuss
mailing list