On Mon, 2019-02-25 at 18:27 +0200, Uoti Urpala wrote:
> Ben Hutchings wrote:
> > The major input into the new seed file contents is the old seed file
> > contents. You are adding very little entropy on x86, and possibly
> > almost none on other architectures.
> >
> > Please reconsider this, as this description sounds dangerously
> > insecure.
>
> I don't think his goal was to add any significant entropy? I mean,
> using old seed file should be enough by itself, as long as the random
> state was ever initialized to an unpredictable state to create a secret
> seed file, the contents stayed secret, and there is no reuse of the
> same seed file without updating it on disk.
The output of the RNG may well become public, for example in document
UUIDs. So when estimating the entropy that the new seed file will
provide for the next boot, none of the entropy in the old seed file
should be credited.
Ben.
> At least I didn't read the proposal as relying on that added entropy
> for security.
>
>
--
Ben Hutchings
The obvious mathematical breakthrough [to break modern encryption]
would be development of an easy way to factor large prime numbers.
- Bill Gates
Attachment:
signature.asc
Description: This is a digitally signed message part