Re: [dsfjdssdfsd] What has gone wrong with RNGs in practice

Theodore Ts'o <> Sat, 16 November 2013 02:42 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B50EC11E8146 for <>; Fri, 15 Nov 2013 18:42:54 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.424
X-Spam-Status: No, score=-2.424 tagged_above=-999 required=5 tests=[AWL=-0.176, BAYES_00=-2.599, NO_RELAYS=-0.001, SARE_SUB_11CONS_WORD=0.352]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id z89uyRyRwpt6 for <>; Fri, 15 Nov 2013 18:42:54 -0800 (PST)
Received: from ( [IPv6:2600:3c02::f03c:91ff:fe96:be03]) by (Postfix) with ESMTP id 455A811E8223 for <>; Fri, 15 Nov 2013 18:42:53 -0800 (PST)
Received: from root ( by with local-esmtp (Exim 4.80) (envelope-from <>) id 1VhVqQ-0005AF-Uv; Sat, 16 Nov 2013 02:42:47 +0000
Received: by (Postfix, from userid 15806) id 4754858087B; Fri, 15 Nov 2013 21:42:42 -0500 (EST)
DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple;; s=mail; t=1384569762; bh=ira7EZrPESjCrS8YSX+YGCiJdhUy2v10AhSd+ZWPb4U=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=vIExOYhkKpi1ClUYxG21EMlOr0VEg8y58DuHaOhhT2V7C7nznlXriCxfvHRvSBbvq idC9FD1w0258xFAcs01JP3+0GmQtRD5fI/iHSy5OPrguHIzcDUyRSYgtqBiaJfTsfB K5tfwYlVHqzmQpps9H79gOixrZZ8QkpxjTZ+vle0=
Date: Fri, 15 Nov 2013 21:42:42 -0500
From: Theodore Ts'o <>
To: Nick Mathewson <>
Message-ID: <>
References: <>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Disposition: inline
In-Reply-To: <>
User-Agent: Mutt/1.5.21 (2010-09-15)
X-SA-Exim-Connect-IP: <locally generated>
X-SA-Exim-Scanned: No (on; SAEximRunCond expanded to false
Subject: Re: [dsfjdssdfsd] What has gone wrong with RNGs in practice
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sat, 16 Nov 2013 02:42:54 -0000

On Fri, Nov 15, 2013 at 11:36:14AM -0500, Nick Mathewson wrote:
> CC. Theoretically unsound pool constructions
> See for example the recent paper on the Linux /dev/*random devices'
> constructions [10].

CC is a bit vague, and is redundant with AA, BB, and EE in your list.

The assertion made in [10] is that an attacker who can control all of
the entropy inputs in such a way that defeats the entropy estimator
(which is EE), could result in a failure of guarantees such as BB
(recovery after compromised state).

Whether or not an attacker could control all entropy inputs in such as
way that it could defeat the entropy estimator was not actually shown
in [10], and I'm not entirely sure that insisting on a theoretical
model which requires that a design should be robust against by
arbitrary control of the entropy sources (as opposed to auditing the
entropy sources actually *used* by the RNG) is a all that useful ---
but that's aside from the point I'm trying to make here, which is if
you're going to have a list of potential RNG failures, they should be
a specific set of things that you can look for, and not something
vague and overarching such as "bad design of the RNG pools".


							- Ted