> On Sun, 23 Jul 2000, Mark Murray wrote:
>
> > Erm, read 4.1 again :-). The paragraph that begins "One approach..." is
> > the old approach. It is also the approach that you are advocating.
> >
> > The next paragraph "Yarrow takes..." is Yarrow, and the current
> > implementation.
>
> "The strength of the first approach is that, if properly designed, it is
> possible to get unconditional security from the PRNG."
"if properly designed" is the key phrase. The previous on was not, and
I do not have the cryptographic skill to do so.
> This is a good thing :-)
In theory :-). In practice, we have no algorithms to go on.
> Please understand that this is not a personal attack - I appreciate your
> work, and welcome it in FreeBSD. My concern is with what Yarrow does not
> do, but which FreeBSD needs: a PRNG which is capable of generating
> arbitrarily large keys.
We are limited by the rate at which we can harvest entropy. The PC
platform has quite close to Jack Shite available if there is no-one
one the keyboard.
> > How do we fix it? What accumulation algorithm do we use that does not
> > clue the reader into what the internal state is?
>
> I suggest we ask Bruce Schneier instead of bantering back and forth about
> the issue. I claim (supported by the quote above) that it's possible to
> implement such a system securely and have it co-exist with Yarrow.
In theory, yes. I'll ask Schneier. He's already said he'll look at my
code when he has the time.
> > _My_ point is that the old system is broken, and that IMO Yarrow is a
> > good replacement. (I support my point by noting that Schneier is a far
> > better cryptographer than I, and he designed the algorithm that I
> > implemented).
>
> Yarrow is a good replacement for /dev/urandom. However it doesn't provide
> features which I believe are necessary, namely the ability to generate
> high-entropy keys of arbitrary size, without severely impacting on PRNG
> performance by constantly reseeding.
Here we must agree to differ. :-)
Yarrow's data _is_ high entropy. It is indistinguishable from "real"
entropy if done right (for the purposes of this argument, I need to
assume that Schneier does it right). Yarrow is "attack oriented",
which is the correct approach if you want your numbers for crypto and
not for (say) science.
M
--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message