svn commit: r239569 - head/etc/rc.d
RW
rwmaillists at googlemail.com
Wed Sep 12 11:34:37 UTC 2012
On Tue, 11 Sep 2012 16:01:17 -0700
Xin Li wrote:
> Well, 1:1 correspondence is when we fed full text to /dev/random,
> which we don't, right? Only the first 4K gets consumed. So:
>
> Situation 1: we have 45K of plain text, and only first 4k is fed to
> /dev/random at about 5 bits of entropy per byte;
>
> Situation 2: we have 45K of plain text, compress to e.g. 25K and only
> first 4k is fed to /dev/random at more than 7.6 bits of entropy per
> byte;
>
> Therefore I think Situation 2 is better than situation 1.
It's marginally better, but still a very poor solution. You still
lose most of the entropy, and you still end up with a substantial risk
of there being no buffers available for /entropy.
Situation 3: use a hash; all the entropy (up to an overkill amount) ends
up in yarrow, most of the buffer space is left for /entropy.
Compression solves neither of the two problem - hashing solves both.
More information about the freebsd-security
mailing list