lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAEW7ACnkvi-SbTErcJ3K5dReq=tCwuJPs75qHA8xFm+XFAHoLA@mail.gmail.com>
Date: Sat, 18 Aug 2012 17:21:01 -0700
From: Dan Kaminsky <dan@...para.com>
To: coderman <coderman@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: how i stopped worrying and loved the backdoor
Yeah, turns out RNG's *aren't* on most motherboards. Thus, DakaRand.
The biggest surprise of this entire adventure is that DakaRand seems to
work inside of VM's too. Didn't expect that at all. But then, I think
it's going to take some time to analyze what's going on here.
On Sat, Aug 18, 2012 at 4:00 PM, coderman <coderman@...il.com> wrote:
> Dan just released "DakaRand"
> http://dankaminsky.com/2012/08/15/dakarand/
>
> src http://s3.amazonaws.com/dmk/dakarand-1.0.tgz
>
> while admitting that "Matt Blaze has essentially disowned this
> approach, and seems to be honestly horrified that I’m revisiting it"
> and "Let me be the first to say, I don’t know that this works." this
> mode would greatly reduce, maybe eliminate the incidence of key
> duplication in large sample sets (e.g. visibly poor entropy for key
> generation)
>
> the weak keys[0] authors clearly posit that they have detected merely
> the most obvious and readily accessible poor keys, and that further
> attacks against generator state could yield even more vulnerable
> pairs... you have been warned :P
>
> the solution is adding hw entropy[1][2] to the mix. anything less is
> doing it wrong!
>
> if you don't have hw entropy, adding dakarand is better than not.
>
> 0. "Mining Your Ps and Qs: Detection of Widespread Weak Keys in
> Network Devices - Extended"
> https://factorable.net/weakkeys12.extended.pdf
>
> 1. "Intel RNG"
> http://lists.randombit.net/pipermail/cryptography/2012-June/002995.html
> see also by thread:
>
> http://lists.randombit.net/pipermail/cryptography/2012-June/thread.html#2995
>
> 2. xstore
>
> http://www.via.com.tw/en/downloads/whitepapers/initiatives/padlock/rng_prog_guide.pdf
>
> X. LD 50 radiation exposure of the common pigeon. entropy via carrier
> pigeon (DRAFT)
> ;P
>
> P.P.S: if you're not passing valid hw entropy into VM guests, you're
> also doing it wrong. even enough passed at boot is sufficient,
> provided key generation is secure. always a million caveats... and
> adding dakarand to guests is better than not.
>
>
> On Wed, Jul 18, 2012 at 12:35 PM, coderman <coderman@...il.com> wrote:
> > On Fri, Dec 24, 2010 at 5:08 PM, Dan Kaminsky <dan@...para.com> wrote:
> >> ...
> >> Don't we have hardware RNG in most motherboard chipsets nowadays?
> >
> > clearly not enough of them!
> >
> > 'Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network
> Devices'
> > https://factorable.net/weakkeys12.extended.pdf
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists