Re: use of RDRAND in $random_library
Ugh, sorry to follow up to myself, but I got a key part of this wrong.
Russ Allbery <rra@debian.org> writes:
> At least based on my understanding of the theory, I think that mixing a
> backdoored entropy source with other entropy sources in a random number
> generator like Fortuna (which is based on the AES block cipher in
> counter mode) would make it quite difficult for an attacker with
> knowledge of the back door to exploit that knowledge.
Fortuna does indeed use AES in counter mode to generate the random number
stream, but it uses SHA-256 to mix in entropy. This is the primary
defense against a backdoored entropy source (like the hardware random
number generator, if one is concerned that it has a back door): mixing it
with other entropy sources using a one-way hash like SHA-256 should mean
that any one entropy source cannot *decrease* the total entropy of the
system when added to other entropy sources, assuming SHA-256 functions
correctly as a cryptographic hash.
> I don't know enough about the exact algorithm behind /dev/random to be
> sure that the same is true for it, but I would hope that it is.
> (Although Wikipedia says that it's hash-based, which would probably make
> it quite a bit slower than Fortuna since hashes are slower than block
> ciphers.)
Fortuna is also hash-based in that sense (it uses a hash to mix in
entropy), so I should say that I don't know any of the details of the
difference between it and /dev/random.
--
Russ Allbery (rra@debian.org) <http://www.eyrie.org/~eagle/>
Reply to: