Stephan Mueller wrote: > Am Donnerstag, 14. November 2013, 11:51:03 schrieb Clemens Ladisch: >> An attacker would not try to detect patterns; he would apply knowledge >> of the internals. > > I do not buy that argument, because if an attacker can detect or deduce > the internals of the CPU, he surely can detect the state of the > input_pool or the other entropy pools behind /dev/random. With "internals", I do not mean the actual state of the CPU, but the behaviour of all the CPU's execution engines. An Intel engineer might know how to affect the CPU so that the CPU jitter code measures a deterministic pattern, but he will not know the contents of my memory. >> Statistical tests are useful only for detecting the absence of entropy, >> not for the opposite. > > Again, I fully agree. But it is equally important to understand that > entropy is relative. In cryptography, we care about absolute entropy, i.e., _nobody_ must be able to predict the RNG output, not even any CPU engineer. Regards, Clemens -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
