passwdgen

Jakub Piotr Cłapa loc at toya.net.pl
Sat Aug 6 21:21:07 CEST 2005 

Tomasz Grobelny wrote:
> Dnia sobota 06 sierpnia 2005 19:26, Michal Moskal napisał:
> 
>>On 8/6/05, Tomasz Grobelny <tomasz at grobelny.oswiecenia.net> wrote:
>>
>>>Dnia sobota 06 sierpnia 2005 18:49, Michal Moskal napisał:
>>>
>>>>On 8/6/05, Tomasz Grobelny <tomasz at grobelny.oswiecenia.net> wrote:
>>>>
>>>>>3. If /dev/urandom is supposed to be less secure but it is secure
>>>>>enough (in current kernel implementation) should passwdgen use it?
>>>>>Yes, because it works. No, because it could be insecure if kernel
>>>>>behaviour changes. Other opinions?
>>>>
>>>>It cannot change to be less secure. It's part of the kernel API.
>>>
>>>Does the API define how data coming from /dev/urandom is generated?
>>
>>man urandom:
>>
>>       When  read,  /dev/urandom  device  will  return  as  many  bytes as
>>are requested.  As a result, if there is  not  sufficient  entropy  in  the
>>entropy  pool,  the  returned  values are theoretically vulnerable to a
>>cryptographic attack on the algorithms used by the  driver.   Knowledge of
>>how to do this is not available in the current non-classified liter- ature,
>>but it is theoretically possible that such an attack may  exist. If this is
>>a concern in your application, use /dev/random instead.
> 
> But it doesn't say how data is generated. It just says that in some 
> circumstances it may be of lower security. But still we don't know how often 
> it can happen, how much lower the security will be and so on. It is up to 
> implementation, not API.
> Another question is: does /dev/random have to be so slow? Are any patches 
> applied to it's code in PLD kernel that could slow it down? It's just I don't 
> believe that author of passwdgen wrote a program that needs hours to produce 
> a 10 character password on average system...

You can feed it and it will produce much more. Generating entropy based 
only on normal computer usage is not so easy.

There were two programs which could feed the kernel with entropy from a 
v4l source or from a soundcard maybe try these?...

-- 
Regards,
Jakub Piotr Cłapa

More information about the pld-devel-en mailing list