So much entropy it's coming out of our ears?

Richard Coleman rcoleman at
Thu Aug 5 07:32:52 PDT 2004

Sam Leffler wrote:

>  gathering through fast paths. I've suggested for a long time that
>  this sort of collection should be enabled only under dire
>  circumstances and never by default. Regardless the last time I
>  looked at the entropy harvesting it used a model where entropy was
>  unilateraly sent for harvest and discarded when too plentiful. I
>  term this the "push model". I've advocated a "pull model" where the
>  PRNG requests entropy when a low water mark is hit and/or a hybrid
>  scheme where producers have some sort of flow control or feedback
>  mechanism.
>  Everything that goes on inside the PRNG is a separate issue.
>  Sam

In general, by using a push model, you open yourself up to the possibility
that the attacker could exhaust the entropy at just the right time so he can
control what entropy is harvested on the next run of the PRNG.  But in this
case, we might be able to get away with it, since the PRNG is still
cryptographically strong even when there is no new entropy flowing into the
system (as long at the attacker doesn't know the initial state of the pool).
Rekeying and reseeding the pool are primarily to give you forward security
and to recover if the entropy pool has been compromised.

But a push system is still better if it doesn't impact performance too much.

Richard Coleman
rcoleman at

More information about the freebsd-current mailing list