> On Sun, 23 Jul 2000, Mark Murray wrote:
> 
> > Erm, read 4.1 again :-). The paragraph that begins "One approach..." is
> > the old approach. It is also the approach that you are advocating.
> > 
> > The next paragraph "Yarrow takes..." is Yarrow, and the current
> > implementation.
> 
> "The strength of the first approach is that, if properly designed, it is
> possible to get unconditional security from the PRNG."

"if properly designed" is the key phrase. The previous on was not, and
I do not have the cryptographic skill to do so.

> This is a good thing :-)

In theory :-). In practice, we have no algorithms to go on.

> Please understand that this is not a personal attack - I appreciate your
> work, and welcome it in FreeBSD. My concern is with what Yarrow does not
> do, but which FreeBSD needs: a PRNG which is capable of generating
> arbitrarily large keys.

We are limited by the rate at which we can harvest entropy. The PC
platform has quite close to Jack Shite available if there is no-one
one the keyboard.

> > How do we fix it? What accumulation algorithm do we use that does not
> > clue the reader into what the internal state is?
> 
> I suggest we ask Bruce Schneier instead of bantering back and forth about
> the issue. I claim (supported by the quote above) that it's possible to
> implement such a system securely and have it co-exist with Yarrow.

In theory, yes. I'll ask Schneier. He's already said he'll look at my
code when he has the time.

> > _My_ point is that the old system is broken, and that IMO Yarrow is a
> > good replacement. (I support my point by noting that Schneier is a far
> > better cryptographer than I, and he designed the algorithm that I
> > implemented).
> 
> Yarrow is a good replacement for /dev/urandom. However it doesn't provide
> features which I believe are necessary, namely the ability to generate
> high-entropy keys of arbitrary size, without severely impacting on PRNG
> performance by constantly reseeding.

Here we must agree to differ. :-)

Yarrow's data _is_ high entropy. It is indistinguishable from "real"
entropy if done right (for the purposes of this argument, I need to
assume that Schneier does it right). Yarrow is "attack oriented",
which is the correct approach if you want your numbers for crypto and
not for (say) science.

M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message

Reply via email to