Source-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[src/trunk]: src/share/man/man4 Replace slightly wrong rant by shorter and sl...
details: https://anonhg.NetBSD.org/src/rev/3f0dfbe20d67
branches: trunk
changeset: 463681:3f0dfbe20d67
user: riastradh <riastradh%NetBSD.org@localhost>
date: Wed Sep 04 04:00:04 2019 +0000
description:
Replace slightly wrong rant by shorter and slightly less long rant.
(If X and Y in Z/2Z are independent, then so are X and X+Y. What was
I thinking.)
diffstat:
share/man/man4/rnd.4 | 67 +++++++++++++++------------------------------------
1 files changed, 20 insertions(+), 47 deletions(-)
diffs (87 lines):
diff -r f2ca0fa53ce3 -r 3f0dfbe20d67 share/man/man4/rnd.4
--- a/share/man/man4/rnd.4 Wed Sep 04 03:15:20 2019 +0000
+++ b/share/man/man4/rnd.4 Wed Sep 04 04:00:04 2019 +0000
@@ -1,4 +1,4 @@
-.\" $NetBSD: rnd.4,v 1.25 2019/09/04 03:15:20 riastradh Exp $
+.\" $NetBSD: rnd.4,v 1.26 2019/09/04 04:00:04 riastradh Exp $
.\"
.\" Copyright (c) 2014 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -551,50 +551,27 @@
.Sh ENTROPY ACCOUNTING
The entropy accounting described here is not grounded in any
cryptography theory.
-It is done because it was always done, and because it gives people a
-warm fuzzy feeling about information theory.
-.Pp
-The folklore is that every
-.Fa n Ns -bit
-output of
-.Fa /dev/random
-is not merely indistinguishable from uniform random to a
-computationally bounded attacker, but information-theoretically is
-independent and has
-.Fa n
-bits of entropy even to a computationally
-.Em unbounded
-attacker -- that is, an attacker who can recover AES keys, compute
-SHA-1 preimages, etc.
-This property is not provided, nor was it ever provided in any
-implementation of
-.Fa /dev/random
-known to the author.
+.Sq Entropy estimation
+doesn't mean much: the kernel hypothesizes an extremely simple-minded
+parametric model for all entropy sources which bears little relation to
+any physical processes, implicitly fits parameters from data, and
+accounts for the entropy of the fitted model.
.Pp
-This property would require that, after each read, the system discard
-all measurements from hardware in the entropy pool and begin anew.
-All work done to make the system unpredictable would be thrown out, and
-the system would immediately become predictable again.
-Reverting the system to being predictable every time a process reads
-from
-.Fa /dev/random
-would give attackers a tremendous advantage in predicting future
-outputs, especially if they can fool the entropy estimator, e.g. by
-sending carefully timed network packets.
+Past versions of the
+.Nm
+subsystem were concerned with
+.Sq information-theoretic
+security, under the premise that the number of bits of entropy out must
+not exceed the number of bits of entropy in -- never mind that its
+.Sq entropy estimation
+is essentially meaningless without a model for the physical processes
+the system is observing.
.Pp
-If you filled your entropy pool by flipping a coin 256 times, you would
-have to flip it again 256 times for the next output, and so on.
-In that case, if you really want information-theoretic guarantees, you
-might as well take
-.Fa /dev/random
-out of the picture and use your coin flips verbatim.
-.Pp
-On the other hand, every cryptographic protocol in practice, including
-HTTPS, SSH, PGP, etc., expands short secrets deterministically into
-long streams of bits, and their security relies on conjectures that a
-computationally bounded attacker cannot distinguish the long streams
-from uniform random.
-If we couldn't do that for
+But every cryptographic protocol in practice, including HTTPS, SSH,
+PGP, etc., expands short secrets deterministically into long streams of
+bits, and their security relies on conjectures that a computationally
+bounded attacker cannot distinguish the long streams from uniform
+random. If we couldn't do that for
.Fa /dev/random ,
it would be hopeless to assume we could for HTTPS, SSH, PGP, etc.
.Pp
@@ -603,7 +580,3 @@
Nobody has ever reported distinguishing SHA-256 hashes with secret
inputs from uniform random, nor reported computing SHA-1 preimages
faster than brute force.
-The folklore information-theoretic defence against computationally
-unbounded attackers replaces system engineering that successfully
-defends against realistic threat models by imaginary theory that
-defends only against fantasy threat models.
Home |
Main Index |
Thread Index |
Old Index