Path: csiph.com!x330-a1.tempe.blueboxinc.net!usenet.pasdenom.info!aioe.org!feeder.news-service.com!tudelft.nl!txtfeed1.tudelft.nl!dedekind.zen.co.uk!zen.net.uk!hamilton.zen.co.uk!prichard.zen.co.uk.POSTED!not-for-mail From: Nobody Subject: Re: How good is security via hashing Date: Wed, 08 Jun 2011 08:18:40 +0100 User-Agent: Pan/0.14.2 (This is not a psychotic episode. It's a cleansing moment of clarity.) Message-Id: Newsgroups: comp.lang.python References: <4d3945c6-6c0b-45e4-9d12-f6f50c09108b@ct4g2000vbb.googlegroups.com> <7xy61d59p6.fsf@ruckus.brouhaha.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Lines: 22 Organization: Zen Internet NNTP-Posting-Host: 97135517.news.zen.co.uk X-Trace: DXC=V>fo3EaW]F5G>2Zgg858V:0g@SS;SF6n7RiiCXJE[K>7PTT]@EloII>Yo[@=aWRTI2?_XiaJNbVU6 X-Complaints-To: abuse@zen.co.uk Xref: x330-a1.tempe.blueboxinc.net comp.lang.python:7216 On Tue, 07 Jun 2011 19:38:29 -0700, Paul Rubin wrote: >> Personally, I'd take whatever "cheap" entropy I can get and hash it. >> If you're going to read from /dev/urandom, limit it to a few bytes per >> minute, not per request. > > That's really not going to help you. In what way? If I need security, I'll use /dev/random or /dev/urandom. If I don't, I'll save the real entropy for something which needs it. Issues with observability of entropy sources (mainly the use of network traffic as an entropy source) are overblown. The staff of a co-location facility have physical access, and anyone further out doesn't see enough of the traffic for it to do them any good. Predicting an entropy-hashing RNG based upon a fraction of the entropy and a fraction of the output is a theoretical attack which is only relevant to entities who have far easier options available to them.