lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:	Tue, 18 Dec 2007 13:43:28 +1030
From:	David Newall <>
To:	Theodore Tso <>, Andy Lutomirski <>,
	John Reiser <>,
	Matt Mackall <>,,
Subject: Re: /dev/urandom uses uninit bytes, leaks user data

Theodore Tso wrote:
> On Mon, Dec 17, 2007 at 07:52:53PM -0500, Andy Lutomirski wrote:
>> It runs on a freshly booted machine (no 
>> DSA involved, so we're not automatically hosed), so an attacker knows the 
>> initial pool state.  
> Not just a freshly booted system.  The system has to be a freshly
> booted, AND freshly installed system.  Normally you mix in a random
> seed at boot time.  And during the boot sequence, the block I/O will
> be mixing randomness into the entropy pool, and as the user logs in,
> the keyboard and mouse will be mixing more entropy into the pool.  So
> you'll have to assume that all entropy inputs have somehow been
> disabled as well. 

On a server, keyboard and mouse are rarely used.  As you've described 
it, that leaves only the disk, and during the boot process, disk 
accesses and timing are somewhat predictable.  Whether this is 
sufficient to break the RNG is (clearly) a matter of debate.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to
More majordomo info at
Please read the FAQ at

Powered by blists - more mailing lists