I collect entropy from the following sources:
- system_entropy = System provided crypto entropy stream (CryptGenRandom on Windows)
- user_entropy = User-provided entropy - in a form of a byte stream of serialized random mouse movements, key strokes etc (this is manually entered by the user, similar to how TrueCrypt collects entropy)
To generate a key from these sources, is the following construct appropriate?
my_random_key = HKDF(salt, system_entropy || user_entropy)
Where HKDF is a RFC 5869 construct (both extract and expand steps, but since I don't use "info", just extract is sufficient also) based on HMAC-SHA256.
To my understanding, it should be perfectly fine to just append the user entropy to the system entropy, even under the assumption that the user entropy can be entirely controlled by an adversary, right? Because in that case, the adversary will just destroy the "user_entropy" contribution to the security of the key, but assuming the "system_entropy" is sufficient, then it's ok? In a sense, I assume the "system_entropy" to be already secure, but I want to provide "user_entropy" for additional hardening. So I just want to throw as much random junk at the HKDF as possible.
CryptGenRandom
already collects entropy from mouse movements, keystroke timings, etc — and using a much more well-tuned algorithm than you are likely to. Second, if Microsoft is untrustworthy andCryptGenRandom
is backdoored, you're already screwed. Just use the output ofCryptGenRandom
and spend your leftover time addressing attack scenarios with a higher ratio of risk vs mitigation effort. $\endgroup$CryptGenRandom
is used only on Windows. I have no idea what the library uses on other platforms. The purpose is to give the users an option for additional hardening in case the library does not do a great job at using the system's native crypto RNG. In such case, the method I suggested in my question is appropriate. $\endgroup$SecureRandom
). Just shrugging and betting everything on MS/Google/Apple that they got it right seems ridiculous, when in fact I can do something about it with no risk of messing up (HKDF
). $\endgroup$