On Sun, 23 Jul 2000, Mark Murray wrote:
> Erm, read 4.1 again :-). The paragraph that begins "One approach..." is
> the old approach. It is also the approach that you are advocating.
>
> The next paragraph "Yarrow takes..." is Yarrow, and the current
> implementation.
"The strength of the first approach is that, if properly designed, it is
possible to get unconditional security from the PRNG."
This is a good thing :-)
> It should not use the old method, which is attackable for many
> reasons that Schneier makes clear. (Effectively a 128 bit hash with
> a reseed ("stir") every read. Can you spell "Iterative attack"? :-) ).
>
> Where does that leave us?
>
> How good were our old numbers? How many users have I screwed by
> implementing that system?
Please understand that this is not a personal attack - I appreciate your
work, and welcome it in FreeBSD. My concern is with what Yarrow does not
do, but which FreeBSD needs: a PRNG which is capable of generating
arbitrarily large keys.
> How do we fix it? What accumulation algorithm do we use that does not
> clue the reader into what the internal state is?
I suggest we ask Bruce Schneier instead of bantering back and forth about
the issue. I claim (supported by the quote above) that it's possible to
implement such a system securely and have it co-exist with Yarrow.
> _My_ point is that the old system is broken, and that IMO Yarrow is a
> good replacement. (I support my point by noting that Schneier is a far
> better cryptographer than I, and he designed the algorithm that I
> implemented).
Yarrow is a good replacement for /dev/urandom. However it doesn't provide
features which I believe are necessary, namely the ability to generate
high-entropy keys of arbitrary size, without severely impacting on PRNG
performance by constantly reseeding.
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <[EMAIL PROTECTED]>
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-current" in the body of the message
