| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 29 Nov 2006 00:50:56 +0200 From: Eran Tromer <eran@...mer.org> To: Phillip Susi <psusi@....rr.com> CC: linux-kernel@...r.kernel.org, David Wagner <daw@...berkeley.edu> Subject: Re: Entropy Pool Contents On 2006-11-28 19:42, Phillip Susi wrote: > what good does a non root user do by writing to random? If it > does not increase the entropy estimate, and it may not actually increase > the entropy, why bother allowing it? It is not guaranteed to actually increase the entropy, but it might. And in case the entropy was previously overestimated, you will have gained security. Think of it this way: you can have several users feeding the entropy pool, and it suffices that *any* of them is feeding strings with nonzero entropy (with respect to the adversary) in order to get that gain. That said, I don't feel comfortable about allowing untrusted users to directly feed the entropy pool, as it can aggravate some failure modes. To take an extreme example, suppose the adversary has somehow learned the full state of the pool, i.e., the real entropy is 0, contrary to the kernel's estimate. Can things get any worse? Sure they can: Thus far the adversary can mount attacks that require *known* randomness. However, if he can now feed his own strings into the pool mixer as an untrusted user, then he can achieve a *chosen* randomness, and this undoubtedly enables a wider class of attacks (e.g., covert channels). Fully chosen randomness is unlikely here due to the SHA-1 postprocessing, but numerous bits in the next /dev/random read can be fixed simply by exhaustive search. Worse yet, if the injected string is mixed directly into the pool without cryptographic preprocessing, then the exhaustive search can be done via off-line preprocessing: once the primary pool is estimated to have full entropy, the /dev/random algorithm lets you linearly manipulate the /dev/random pool into any state. That's a nasty design flaw, BTW (see Gutterman et al., section 3). Of course, in principle the same is possible by manipulating the existing /dev/random event sources. But it's much harder to produce bit-exact inputs through such indirect means. Eran - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists