[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: use of RDRAND in $random_library

Ugh, sorry to follow up to myself, but I got a key part of this wrong.

Russ Allbery <rra@debian.org> writes:

> At least based on my understanding of the theory, I think that mixing a
> backdoored entropy source with other entropy sources in a random number
> generator like Fortuna (which is based on the AES block cipher in
> counter mode) would make it quite difficult for an attacker with
> knowledge of the back door to exploit that knowledge.

Fortuna does indeed use AES in counter mode to generate the random number
stream, but it uses SHA-256 to mix in entropy.  This is the primary
defense against a backdoored entropy source (like the hardware random
number generator, if one is concerned that it has a back door): mixing it
with other entropy sources using a one-way hash like SHA-256 should mean
that any one entropy source cannot *decrease* the total entropy of the
system when added to other entropy sources, assuming SHA-256 functions
correctly as a cryptographic hash.

> I don't know enough about the exact algorithm behind /dev/random to be
> sure that the same is true for it, but I would hope that it is.
> (Although Wikipedia says that it's hash-based, which would probably make
> it quite a bit slower than Fortuna since hashes are slower than block
> ciphers.)

Fortuna is also hash-based in that sense (it uses a hash to mix in
entropy), so I should say that I don't know any of the details of the
difference between it and /dev/random.

Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to: