著者: adrelanos 日付: To: tails-dev 題目: Re: [Tails-dev] haveged quality test in Virtual Box
intrigeri: > Hi,
>
> Abel Luck wrote (28 Dec 2012 17:57:40 GMT) :
>> Near the end it discusses HAVEGE with the startling point:
>
>> "One of Peter's colleagues replaced the random input source
>> employed by HAVEGE with a constant stream of ones. All of the
>> same tests passed."
>
> I think this tells more about the poor quality of the tests we
> have, than about the quality of HAVEGE itself. This does not
> startle me.
It's impossible to prove randomness. That's why there will never be
tests which could prove it. Only a pattern can be found. That fact
that no one published a method to find a pattern doesn't mean there is
no pattern. In future a clever person could show us the pattern.
Reading about entropy is interesting. Many things are unclear. There
are many open research questions.
The interesting questions to ask are, is there a known vulnerability? No.
How serious would be if someone found a pattern? Would it make our
keys vulnerable?
I'd speculate it would be best if we combined all current
non-vulnerable methods to gather entropy. If that would help or worsen
the situation is a questions which is also nowhere answered.