On Thu, Jan 14, 2021 at 09:43:44PM +0000, RVP wrote: > Is this OK (or, it is hopelessly insecure)?:
If you have the same secure randomness as everyone else you don't have secure randomness. If you do have unique secure randomness, you only need 256 bits of it to continue generating it forever. > The other alternative is the user mashing the keyboard and moving a mouse > for a few minutes. This is the very old way of doing things and is considered Not Good by current day standards, it's already been ruled out multiple times, and should not be necessary except in the most hopeless of hopeless cases. I'm extremely uninterested in anything that requires user intervention except in uncommon cases (obscure hardware) and where it is already obvious they have to intervene. Also, this paper describes how the Linux kernel's attempts to evaluate the entropy value of input sources can be manipulated, which provides further context for the motivation behind the original changes last year: https://eprint.iacr.org/2013/338.pdf If you have input, you have to know its value for secure randomness beforehand. Certain HWRNGs are documented and we know roughly the value of their output beforehand. Certain environmental sensors are fundamentally subject to extremely difficult to predict physical processes, like turbulence and electromagnetic noise.
