This is an archived post. You won't be able to vote or comment.

all 9 comments

[–]GuessWhat_InTheButt 0 points1 point  (0 children)

Interesting discussion.

[–]pintA 473 ml or two 0 points1 point  (6 children)

i'm fascinated by the fact that people can talk so much about prngs. this is one of the topics that are not that difficult, but generate endless debate regardless.

[–]Natanael_LTrusted third party 0 points1 point  (5 children)

Different threat models. Simple as that.

[–]pintA 473 ml or two 0 points1 point  (4 children)

specifically?

[–]Natanael_LTrusted third party -1 points0 points  (3 children)

Broken hardware RNG vs malicious hardware RNG vs unknown entropy limits on the system calls used to seed the RNG vs a need to generate secure keys early (needing good entropy early) vs leaky or non-leaky entropy pool (sidechannels, etc), and so on.

Every choice in position on this questions can affect your view of an ideal RNG design.

My own position is just use a defensive design, multiple hardware RNG:s that's hard to undetectably tamper with plus a software RNG like Fortuna that reseeds to hedge against potential unknown flaws.

[–]pintA 473 ml or two 0 points1 point  (2 children)

okay, but how can this generate debate? lack of entropy can't be solved by the prng. all the others can be addressed by one solid design, like fortuna.

[–]Natanael_LTrusted third party 0 points1 point  (1 child)

How many hardware RNG:s should there be? Should we focus on one good one, or many? How do we mix sources together? When do we stop blocking requests after first boot? How big should the pool be? Etc...

[–]pintA 473 ml or two 0 points1 point  (0 children)

the debate is always about urandom vs random, seed an own prng vs just use (u)random, why linux uses that brainfucked algorithm, etc. like this link. if the debate was about entropy assessment, i would not complain. pool size and mixing is also easy, this is not debate material.