[ECOS] Re: Entropy gathering?

Grant Edwards grante@visi.com
Fri Apr 4 14:15:00 GMT 2008

On 2008-04-04, Markus Schaber <schabi@logix-tt.com> wrote:

>> I've been googling to find some source material on practical
>> aspects of maintaining an entropy pool, but so far haven't
>> found much of anything.
> Maybe you can ask in the UseNet Newsgroup sci.crypt (after
> assuring that their FAQ doesn't contain some useful pointers).

Thanks, I'll check the sci.crypt FAQ.  I should have thought of
that. I also found that googling for "entropy pool" found some
useful stuff.  I had been googling for entropy gathering and
entropy extraction without much luck.

> Also, libtomcrypt or the CryptoPP lib may contain entropy
> code. OpenSSL / GnuTLS definitely have, but they both are
> rather heavyweight.

Yup.  We porting OpenSSL (and looked at some of the other
ports) before deciding on a different SSL library (which
requires an external entropy source).

> And "Applied Cryptography" by Bruce Schneier, and
> "Cryptograpyh for developers" by Tom St. Denis may be worth a
> look.

I've got Schneier, Kelsy, and Ferguson's Yarrow paper, and that
looks like a good starting point.  I really ought to buy
Schneier's book. [Funny thing: it turns out that Bruce Schneier
lives about six blocks from me (and I drive past his house
regularly).  And he used to live about 2 miles from my sister's
house which is 400+ miles away from here.]

> There are also some recent articles analyzing the entropy
> pools from Linux, BSDish Systems and Windows, where some
> weaknesses showed up.
> Cryptography is a field of mines, and most ad-hoc
> implementations by non-experts turn out to be severely broken
> some time after deployment.

I know.  That's why I'm a bit worried about using eCos's
arc4_random() as an entropy source for crypto purposes.

Grant Edwards                   grante             Yow! Thousands of days of
                                  at               civilians ... have produced
                               visi.com            a ... feeling for the
                                                   aesthetic modules --

Before posting, please read the FAQ: http://ecos.sourceware.org/fom/ecos
and search the list archive: http://ecos.sourceware.org/ml/ecos-discuss

More information about the Ecos-discuss mailing list