lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <47729DCB.6010000@cfl.rr.com>
Date:	Wed, 26 Dec 2007 13:30:35 -0500
From:	Phillip Susi <psusi@....rr.com>
To:	Andrew Lutomirski <luto@...ealbox.com>
CC:	Theodore Tso <tytso@....edu>, David Newall <david@...idnewall.com>,
	John Reiser <jreiser@...wagon.com>,
	Matt Mackall <mpm@...enic.com>, linux-kernel@...r.kernel.org,
	security@...nel.org
Subject: Re: /dev/urandom uses uninit bytes, leaks user data

Andrew Lutomirski wrote:
> No, it's there, and if there's little enough entropy around it can be
> recovered by brute force.

A little entropy is enough to prevent a brute force attack.  You would 
have to have ZERO entropy after a cold boot so the attacker would know 
exactly the contents of the pool, AND know that one and ONLY one other 
task has read from /dev/urandom, AND exactly what time that task did so, 
AND how many bytes it read.  Only then could the attacker read from 
urandom and based on those bytes and the previous known pool state, 
brute force the 3 bytes that came from some unknown location in the 
other task's memory.

>>> Step 1: Boot a system without a usable entropy source.
>>> Step 2: add some (predictable) "entropy" from userspace which isn't a
>>> multiple of 4, so up to three extra bytes get added.
>>> Step 3: Read a few bytes of /dev/random and send them over the network.
>> Only root can do 1 and 2, at which point, it's already game over.
> 
> Again, no.  Root could do this accidentally.  Step 1 happens all the
> time (see the comments on non-unique UUIDs).  Step 2 just requires a

It does not happen all the time.  It happens on a system that has just 
been cold booted from read only distribution media with a broken cmos 
clock, no user keyboard interaction, and no hardware rng and that's it. 
  Every other system is going to have some entropy from the last boot at 
least.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ