Re: [PROPOSAL/PATCH] Fortuna PRNG in /dev/random

[Jean-Luc Cooke]

On Fri, Sep 24, 2004 at 05:34:52PM -0400, Theodore Ts'o wrote:
> > Woh there.  Didn't you just say "see, these hashes are weakened.  That's
> > bad".  Now I just demonstrated the same thing with your SHA1 implementation
> > and you throw that "red-herring" phrase out again?
> 
> No, what I'm saying is that crypto primitives can get weakened; this
> is a fact of life.  SHA-0, MD4, MD5, etc. are now useless as general
> purpose cryptographic hashes.  Fortuna makes the assumptions that
> crypto primitives will never break, as it relies on them so heavily.
> I have a problem with this, since I remember ten years ago when people
> were as confident in MD5 as you appear to be in SHA-256 today.

http://eprint.iacr.org/2004/207.pdf

SHA-256 showing indications of weakness.  Fortuna's algorithms can be
replaced at compile-time.  I may even consider doing them at run-time.

> Crypto academics are fond of talking about how you can "prove" that
> Fortuna is secure.  But that proof handwaves around the fact that we
> have no capability of proving whether SHA-1, or SHA-256, is truly
> secure.

Our issues are that we are *both* handwaving.

JLC
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/