lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 08 Dec 2007 20:07:51 -0500
From:	Jon Masters <jonathan@...masters.org>
To:	Theodore Tso <tytso@....edu>
Cc:	Willy Tarreau <w@....eu>, Jeff Garzik <jeff@...zik.org>,
	Matt Mackall <mpm@...enic.com>,
	Mike McGrath <mmcgrath@...hat.com>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	Ray Lee <ray@...rabbit.org>, Adrian Bunk <bunk@...nel.org>,
	Marc Haber <mh+linux-kernel@...schlus.de>,
	linux-kernel@...r.kernel.org, hmh@...ian.org
Subject: Re: entropy gathering (was Re: Why does reading from /dev/urandom
	deplete entropy so much?)


On Sat, 2007-12-08 at 18:47 -0500, Theodore Tso wrote:
> On Sat, Dec 08, 2007 at 09:42:39PM +0100, Willy Tarreau wrote:
> > I remember having installed openssh on an AIX machines years ago, and
> > being amazed by the number of sources it collected entropy from. Simple
> > commands such as "ifconfig -a", "netstat -i" and "du -a", "ps -ef", "w"
> > provided a lot of entropy.
> 
> Well.... not as many bits of entropy as you might think.  But every
> little bit helps, especially if some of it is not available to
> adversary.

I was always especially fond of the "du" entropy source with Solaris
installations of OpenSSH (the PRNG used commands like "du" too). It was
always amusing that a single network outage at the University would
prevent anyone from ssh'ing into the "UNIX" machines. So yeah, if we
want to take a giant leap backwards, I suggest jumping at this.

Lots of these are not actually random - you can guess the free space on
a network drive in some certain cases, you know what processes are
likely to be created on a LiveCD, and many dmesg outputs are very
similar, especially when there aren't precie timestamps included.

But I do think it's time some of this got addressed :-)

Cheers,

Jon.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ