On Mon, Dec 20, 2004 at 02:32:28PM +0000, Andrew Suffield wrote: > On Mon, Dec 20, 2004 at 10:19:32AM +0100, Florian Weimer wrote: > > * Andrew Suffield: > > > > > The security of the session is limited by the randomness of the > > > weakest key used. If you're going to use /dev/urandom then you might > > > as well just not encrypt the session at all. > > > > Could you provide some rationale for this claim, preferably based on > > the kernel code which implements /dev/urandom? > [...] > This is really elementary stuff. Even /Applied cryptography/-waving > idiots should know it. I'm not going to write a lengthly essay on the > difference between entropy and non-entropy. Andrew, your statement "you might as well just not encrypt the session at all" is plain wrong. Yes, urandom is not guaranteed to be 100% random, it may degenerate to a simple pseudo-RNG. Still, it would be extremely hard for an attacker to guess the state of this pseudo-RNG, because it's shared between several processes retrieving and inserting entropy. So, in the worst case, using /dev/urandom is as good as using a pseudo-RNG with a hard-to-guess initial state. Which is much better than no encryption at all, and sufficient for most real-world purposes. Jan
Attachment:
signature.asc
Description: Digital signature