On Fri, Oct 18, 2013 at 2:56 AM, Cathal Garvey <cathalgarvey@cathalgarvey.me> wrote:
... Leading to a n00b question: if you have a custom-built HWRNG, and you *don't need the full output* but just a complementary source of entropy for /dev/random, how would one seed /dev/random with the HWRNG without washing out the good entropy already in /dev/random?
That is, [...] would be a nice ancillary input to /dev/random if I could be sure it would be only used to supplement, never to replace, more proven and trustworthy sources.
to run in this mode your entropy daemon would read some bytes from the kernel pool via /dev/random, mix those bytes with the collected entropy, then feed back into the pool with the same entropy estimate. in this way you're not "feeding" entropy from your HWRNG but instead using it to improve the entropy collected via other sources (like high res timers, etc.) to be honest i've never considered running in this mode - the main benefit of a HWRNG is the improvement in entropy generation and this approach does not provide any such improvement.
Bonus question; if I take the direct output of my HWRNG, and use it with a hash function and a long, random seed that is invariant, that should even out the bits of output and help account for fluctuations in true entropy, right?
this is what the "mixing" or "blinding" step of an entropy daemon does: obscure the state of the HWRNG and compress the sampled entropy via cryptographically secure digests or ciphers. (there are a few different constructions for this, you should pursue the literature :) best regards,