| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 17 Dec 2007 19:52:53 -0500 From: Andy Lutomirski <luto@...ealbox.com> To: Theodore Tso <tytso@....edu>, John Reiser <jreiser@...Wagon.com>, Matt Mackall <mpm@...enic.com>, linux-kernel@...r.kernel.org, security@...nel.org Subject: Re: /dev/urandom uses uninit bytes, leaks user data Theodore Tso wrote: > On Mon, Dec 17, 2007 at 08:30:05AM -0800, John Reiser wrote: >>>> [You have yet to show that...] >>>> There is a path that goes from user data into the pool. >> Note particularly that the path includes data from other users. >> Under the current implementation, anyone who accesses /dev/urandom >> is subject to having some bytes from their address space being captured >> and mixed into the pool. > > Again, you haven't *proven* this yet. Has anyone *proven* that using uninitialized data this way is safe? As a *user* of this stuff, I'm *very* hesitant to trust Linux's RNG when I hear things like this. (Hint: most protocols are considered insecure until proven otherwise, not the other way around.) Consider: add_entropy_words is reversible [1], presumably in the sense that words could be removed, so, if there added words are independent of the state, there is no loss of entropy. But it also appears reversible in the sense that if the pool has a known state and entropy words are added, most of which are known, the unknown ones can be found (if nothing else, if there are only a few bits of entropy there, you can try all possibilities). Now imagine a security program. It runs some forward secret protocol and it's very safe not to leak data that would break forward secrecy (mlockall, memset when done with stuff, etc). It runs on a freshly booted machine (no DSA involved, so we're not automatically hosed), so an attacker knows the initial pool state. Conveniently, some *secret* (say an ephemeral key, or, worse, a password) gets mixed in to the pool. There are apparently at most three bytes of extra data mixed in, but suppose the attacker knows add the words that were supposed to get mixed in. Now the program clears all its state to "ensure" forward secrecy, and *then* the machine gets hacked. Now the attacker can learn (with at most 2^24 guesses worth of computation) 24 bits worth of a secret, which could quite easily reduce the work involved in breaking whatever forward secret protocol was involved from intractable to somewhat easy. Or it could leak three bytes of password. Or whatever. Sorry for the somewhat inflammatory email, but this is absurd. --Andy [1] http://www.mail-archive.com/linux-kernel@vger.kernel.org/msg238406.html -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists