<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<tt>Hi Ted,</tt><br>
<br>
<div class="moz-cite-prefix">On 06/27/2017 03:40 PM, Theodore Ts'o
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:20170627204041.h2sr3zovsnutj43y@thunk.org"><br>
<pre wrap="">My recommendation for Linux is to use getrandom(2) the flags field set
to zero. This will cause it to use a CRNG that will be reseeded every
five minutes from environmental noise gathered primarily from
interrupt timing data. For modern kernels, the CRNG is based on
ChaCha20. For older kernels, it is based on SHA-1.
There are a lot of people who have complained about whether or not
Linux's urandom generator has met with there religious beliefs about
how RNG's should be designed and implemented. One of the things you
will find is that many of these people are very vocal, and in some
cases, their advice will be mutually exclusive. So if you are going
to be trying to design your own RNG for OpenSSL --- welcome to my
world.
(In other words, I do listen to many of the people who have opined on
this thread. I just don't happen to agree with all of them. And I
suspect you will find that in the end, it's impossible to make them
all happy, and they will end up questioning your intelligence,
judgement, and in some cases, your paternity. :-)
</pre>
</blockquote>
<br>
Thanks for the input, and for reading what is being said.<br>
<br>
While you're here, would you mind confirming/denying the claim I
read that the reason the linux /dev/random tracks an entropy
estimate and blocks when it gets too low is to preserve backward
security in the face of attacks against SHA1?<br>
<br>
I'm happy to respect that there are different opinions, but it would
be nice to know the reasoning behind the behavior, even if I do not
necessarily agree with it.<br>
<br>
Thanks,<br>
<br>
Ben<br>
</body>
</html>