EGD requirement a show stopper for me

Gary E. Miller gem at rellim.com
Wed Feb 2 10:00:20 EST 2000 

Yo Dave!

The whole point of /dev/random is to add entropy to PNRG.  The problem
with a PNRG is that once you figure out the internal state of the PNRG
you can recover past states and predict future states.  Once you can
predict states, even if the prediction is slightly off, then you have
seriously reduced the strength of the encryption.

This is the basis of the cracks for S/Key and some other crypto.

The solution to this problem is to add entropy to your PNRG to make
it more truly random.  That is why openssh wants to use /dev/random
or EGD at regular intervals.  EGD is to much of a pig and /dev/random 
requires kernel patching.  So I agree with you that porting something 
like EGD to C is the way to go.

FreeS/WAN struggled with this issue for a while and then decided
to just go with /dev/random.  open-ssh does not have that option.

RGDS
GARY

On Tue, 1 Feb 2000, Dave Dykstra wrote:

> Date: Tue, 1 Feb 2000 15:55:40 -0600
> From: Dave Dykstra <dwd at bell-labs.com>
> To: Gary E. Miller <gem at rellim.com>
> Cc: openssh-unix-dev at mindrot.org
> Subject: Re: EGD requirement a show stopper for me
> 
> On Tue, Feb 01, 2000 at 01:08:06PM -0800, Gary E. Miller wrote:
> > Yo All!
> > 
> > A archive of the discussions on /dev/random from the linux-ipsec
> > and coderpunks mailing lists is at:
> > 	http://www.openpgp.net/random/index.html
> > 
> > They have already covered this territory at length.
> 
> The access to the archive is kind of slow so I haven't seen it all, but I
> haven't spotted where they're talking about avoiding the use of
> /dev/random.  Ipsec is a different situation because by its nature it will
> not be portable and, unlike ssh, they can make operating system changes.
> 
> > There is also the source to a linux kernel /dev/random on that 
> > website and in it's doc the recommendation is made to save the entropy.
> > 
> > I think the end result was that it was best to save what entropy
> > that you had between sessions.    Since this saved entropy should
> > just be stirred in with whatever new entropy you can find, then
> > you should never be worse off even if the old entropy is compromised.
> > 
> > RGDS
> > GARY
> > 
> > On Mon, 31 Jan 2000, Andre Lucas wrote:
> > 
> > > I'm no authority of any kind on PRNG implementations or the software
> > > you've listed. So this is just a barely educated opinion. I think it's a
> > > good thing to save the random seed, as if you have confidence in your
> > > PRNG it's a good random value with which to initialise the generator.
> > > Since my understanding is that good entropy is hard to find(tm), why
> > > waste it?
> 
> 
> Ok, maybe I'm missing something.  If you have a good initial seed to your
> PRNG and you save it in a protected file the way ssh 1.2.27 does, is there
> any problem with not using the EGD (or /dev/random because it's not
> available)?  We could take some of the code from the EGD (ported to C) or
> from some other open source package to get the initial seed, when we don't
> mind spending a little extra time, and from then on do things more quickly
> without the aid of an external program or driver.  Right?
> 
> - Dave Dykstra
> 

---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676

More information about the openssh-unix-dev mailing list