So much entropy it's coming out of our ears?

Sam Leffler sam at
Thu Aug 5 08:53:58 PDT 2004

On Thursday 05 August 2004 07:33 am, Richard Coleman wrote:
> Sam Leffler wrote:
> >  gathering through fast paths. I've suggested for a long time that
> >  this sort of collection should be enabled only under dire
> >  circumstances and never by default. Regardless the last time I
> >  looked at the entropy harvesting it used a model where entropy was
> >  unilateraly sent for harvest and discarded when too plentiful. I
> >  term this the "push model". I've advocated a "pull model" where the
> >  PRNG requests entropy when a low water mark is hit and/or a hybrid
> >  scheme where producers have some sort of flow control or feedback
> >  mechanism.
> >
> >  Everything that goes on inside the PRNG is a separate issue.
> >
> >  Sam
> In general, by using a push model, you open yourself up to the possibility
> that the attacker could exhaust the entropy at just the right time so he
> can control what entropy is harvested on the next run of the PRNG.  But in
> this case, we might be able to get away with it, since the PRNG is still
> cryptographically strong even when there is no new entropy flowing into the
> system (as long at the attacker doesn't know the initial state of the
> pool). Rekeying and reseeding the pool are primarily to give you forward
> security and to recover if the entropy pool has been compromised.
> But a push system is still better if it doesn't impact performance too
> much.

Push vs pull and exhaustion depends on your system config which is why I 
hedged with "or a hybrid scheme".  If a system has a reasonable h/w entropy 
source it should be able to pull enough entropy on demand to keep everyone 
happy.  I know this to be true for at least 4 crypto parts that include a h/w 
RNG.  On systems like this you want to just shutdown all other forms of 
entropy gathering unless you're paranoid about having a single source of 


More information about the freebsd-current mailing list