Ian Collier wrote in <20200530212040.gk1301...@cs.ox.ac.uk>: |On Mon, May 25, 2020 at 04:24:41PM +0200, Oswald Buddenhagen wrote: |> why not do something proper and use getentropy() instead? | |It's been previously suggested on here that a mail client shouldn't |consume entropy from the system each time it starts, because other |more important processes may want it.
As a non-mathematician i happily disagree and claim you cannot "consume" entropy of a random pool that is stirred and mixed and which mixes, where all this mixing is indeed done via cryptographically advanced algorithms, itself into another pool that finally serves you (whether directly but especially when also being served indirectly via such an algorithm, which i think is what now is done by all; NetBSD has gained a(gain an even more improvied) tremendous amount of work just a few days/fewest weeks ago, for example). For elder code the MUA i maintain also plays fair with the old per-user entropy ~/.rnd (by default) as managed via OpenSSL, in that, if every program that uses that stirs the pool and saves the file again, as we do (as is or was documented that it should be done like that i think), then every program startup and usage even "increases entropy", or, how i would say it, increases unpredictability of the actual entropy data. I mean, you have regular interrupts and timers and scheduler time slices and system calls of programs and network traffic and other I/O events, and all that stirs the pool a bit. But like i said, i am not a mathematician, i always wondered how such attacks can work out at all, yet some did. But then again we saw bugs in the past like that only some low bits of time counters were used and/ or that no mixing through the entire pool was done etc. Iirc. That is me who only reads such things with only one eye. But for example i wondered already about twenty years ago why SSL was not used for some things, and i now wonder even more why everybody wants to use it for exactly the very same things. As if the world had changed. Hm. --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt)
