EGD requirement a show stopper for me

[Dave Dykstra]

On Tue, Feb 01, 2000 at 03:00:20PM -0800, Gary E. Miller wrote:
> The whole point of /dev/random is to add entropy to PNRG.  The problem
> with a PNRG is that once you figure out the internal state of the PNRG
> you can recover past states and predict future states.  Once you can
> predict states, even if the prediction is slightly off, then you have
> seriously reduced the strength of the encryption.
> 
> This is the basis of the cracks for S/Key and some other crypto.

OK, but could one figure out the internal state of the PNRG without having
access to the seed file?  I'm not worried about compromise of the seed file.
I would think that if somebody could figure out what numbers were being
generated by the PNRG they could predict what it might do in the future, but
as far as I know there's no way for someone to do that without having already
broken into the legitimate client or server.

I don't get why SSH 1.2.27 can do without /dev/random and EGD and yet
there's been no CERT advisories saying that that part of SSH is insecure.


> The solution to this problem is to add entropy to your PNRG to make
> it more truly random.  That is why openssh wants to use /dev/random
> or EGD at regular intervals.  EGD is to much of a pig and /dev/random 
> requires kernel patching.  So I agree with you that porting something 
> like EGD to C is the way to go.

It's not enough to just port EGD to C, it needs to be integrated with 
openssh and very preferably not be a separate process.  There's nothing
inherently wrong with that, is there (ignoring for the moment the amount
of work it would take)?

- Dave Dykstra