| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 18 Dec 2007 13:43:28 +1030 From: David Newall <david@...idnewall.com> To: Theodore Tso <tytso@....edu>, Andy Lutomirski <luto@...ealbox.com>, John Reiser <jreiser@...Wagon.com>, Matt Mackall <mpm@...enic.com>, linux-kernel@...r.kernel.org, security@...nel.org Subject: Re: /dev/urandom uses uninit bytes, leaks user data Theodore Tso wrote: > On Mon, Dec 17, 2007 at 07:52:53PM -0500, Andy Lutomirski wrote: > >> It runs on a freshly booted machine (no >> DSA involved, so we're not automatically hosed), so an attacker knows the >> initial pool state. >> > > Not just a freshly booted system. The system has to be a freshly > booted, AND freshly installed system. Normally you mix in a random > seed at boot time. And during the boot sequence, the block I/O will > be mixing randomness into the entropy pool, and as the user logs in, > the keyboard and mouse will be mixing more entropy into the pool. So > you'll have to assume that all entropy inputs have somehow been > disabled as well. > On a server, keyboard and mouse are rarely used. As you've described it, that leaves only the disk, and during the boot process, disk accesses and timing are somewhat predictable. Whether this is sufficient to break the RNG is (clearly) a matter of debate. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists