Re: [PATCH] let Net Devices feed Entropy, updated (1/2)

From: Mike Touloumtzis (miket@bluemug.com)
Date: Wed Aug 22 2001 - 01:10:02 EST

Next message: Luca Montecchiani: "Oops in 2.4.9"
Previous message: Frédéric L. W Meunier: "Will 2.6 require Python for any configuration ? (CML2)"
In reply to: Robert Love: "Re: [PATCH] let Net Devices feed Entropy, updated (1/2)"
Next in thread: Robert Love: "Re: [PATCH] let Net Devices feed Entropy, updated (1/2)"
Reply: Robert Love: "Re: [PATCH] let Net Devices feed Entropy, updated (1/2)"
Reply: Alex Bligh - linux-kernel: "Re: [PATCH] let Net Devices feed Entropy, updated (1/2)"
Reply: Chris Friesen: "Re: [PATCH] let Net Devices feed Entropy, updated (1/2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Aug 18, 2001 at 11:56:41PM -0400, Robert Love wrote:
>
> Again, /dev/urandom is just as "secure" as /dev/random. Its the same
> pool. The same stuff. Except that /dev/random blocks when the entropy
> count hits 0.

You have been repeating that there is no difference in security
between /dev/random and /dev/urandom, but consider this: you install
a kernel/hardware combination without any registered SA_SAMPLE_RANDOM
IRQs (i.e. headless, no IDE, no NICs with SA_SAMPLE_RANDOM IRQs).
This configuration is not hard to imagine for, say, a dedicated
server appliance or embedded device.

The entropy pool for such a system starts at 0s, unless I'm
misreading the source; from create_entropy_store():

memset(r->pool, 0, poolwords*4);

As long as no interrupt ever adds randomness to this pool, I might be
able to predict every bit ever read from /dev/random on this machine.
I don't need to break SHA-1, I just run the algorithm forward from
its starting point. I guess I would probably have to know the size
of each read, so in practice an active network (TCP initial sequence
numbers) in combination with other reads would make my job harder.
But it's still a scary scenario. And it comes from the fact that
although /dev/urandom is a strong PRNG, it is still deterministic,
and if I know its complete state at any point and can simulate
subsequent events, I can predict its behavior.

/dev/random is very good for making sure you never generate a GPG
key on a machine like this. I agree with most people on this thread
that session keys are usually safe coming from /dev/urandom. But you
should still make sure you have at least one device feeding into
the entropy pool, something I'm sure many admins have no clue about
and don't verify.

miket
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Luca Montecchiani: "Oops in 2.4.9"
Previous message: Frédéric L. W Meunier: "Will 2.6 require Python for any configuration ? (CML2)"
In reply to: Robert Love: "Re: [PATCH] let Net Devices feed Entropy, updated (1/2)"
Next in thread: Robert Love: "Re: [PATCH] let Net Devices feed Entropy, updated (1/2)"
Reply: Robert Love: "Re: [PATCH] let Net Devices feed Entropy, updated (1/2)"
Reply: Alex Bligh - linux-kernel: "Re: [PATCH] let Net Devices feed Entropy, updated (1/2)"
Reply: Chris Friesen: "Re: [PATCH] let Net Devices feed Entropy, updated (1/2)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Thu Aug 23 2001 - 21:00:47 EST