I have found this discussion very stimulating and enlightening. I'd
like to make a couple of comments:
1. Mr. Kelsey's argument that entropy should only be added in large
quanta is compelling, but I wonder if it goes far enough. I would
argue that entropy collected from different sources (disk, network,
sound card, user input, etc.) should be collected in separate pools,
with each pool taped only when enough entropy has been collected in
that pool.
Mixing sources gives an attacker added opportunities. For example,
say entropy is being mixed from disk accesses and from network
activity. An attacker could flood his target with network packets he
controlled, insuring that there would be few disk entropy deposits in
any given quanta release. On the other hand, if the entropy were
collected separately, disk activity entropy would completely rekey
the PRNG whenever enough accumulated, regardless of network
manipulation. Similarly, in a system with a hardware entropy source,
adding disk entropy in a mixing mode would serve little purpose, but
if the pools were kept separate, disk entropy would be a valuable
backup in case the hardware source failed or were compromised.
2. It seems clear that the best solution combines strong crypto
primitives with entropy collection. I wonder how much of the
resistance expressed in this thread by has to do with concerns about
performance. For this reason, I think RC4 deserves further
consideration. It is very fast and has a natural entropy pool built
in. With some care, I believe RC4 can be used in such a way that
attacks on the PRNG can be equated to an attacks on RC4 as a cipher.
The cryproanalytic significance of RC4's imperfect whiteness is
questionable and can be addressed in a number of ways, if needed. I
have some thoughts on a fairly simple and efficient multi-pool PRNG
design based on RC4, if anyone is interested.
3. With regard to diskless nodes, I suggest that the cryptographic
community should push back by saying that some entropy source is a
requirement and come up with a specification (minimum bit rate,
maximum acceptable color, testability, open design, etc.). An entropy
source spec would reward Intel for doing the right thing and
encourage other processor manufacturers to follow their lead.
A hardware RNG can also be added at the board level. This takes
careful engineering, but is not that expensive. The review of the
Pentium III RNG on www.cryptography.com seems to imply that Intel is
only claiming patent protection on its whitening circuit, which is
superfluous, if not harmful. If so, their RNG design could be copied.
Arnold Reinhold
