[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <47729DCB.6010000@cfl.rr.com>
Date: Wed, 26 Dec 2007 13:30:35 -0500
From: Phillip Susi <psusi@....rr.com>
To: Andrew Lutomirski <luto@...ealbox.com>
CC: Theodore Tso <tytso@....edu>, David Newall <david@...idnewall.com>,
John Reiser <jreiser@...wagon.com>,
Matt Mackall <mpm@...enic.com>, linux-kernel@...r.kernel.org,
security@...nel.org
Subject: Re: /dev/urandom uses uninit bytes, leaks user data
Andrew Lutomirski wrote:
> No, it's there, and if there's little enough entropy around it can be
> recovered by brute force.
A little entropy is enough to prevent a brute force attack. You would
have to have ZERO entropy after a cold boot so the attacker would know
exactly the contents of the pool, AND know that one and ONLY one other
task has read from /dev/urandom, AND exactly what time that task did so,
AND how many bytes it read. Only then could the attacker read from
urandom and based on those bytes and the previous known pool state,
brute force the 3 bytes that came from some unknown location in the
other task's memory.
>>> Step 1: Boot a system without a usable entropy source.
>>> Step 2: add some (predictable) "entropy" from userspace which isn't a
>>> multiple of 4, so up to three extra bytes get added.
>>> Step 3: Read a few bytes of /dev/random and send them over the network.
>> Only root can do 1 and 2, at which point, it's already game over.
>
> Again, no. Root could do this accidentally. Step 1 happens all the
> time (see the comments on non-unique UUIDs). Step 2 just requires a
It does not happen all the time. It happens on a system that has just
been cold booted from read only distribution media with a broken cmos
clock, no user keyboard interaction, and no hardware rng and that's it.
Every other system is going to have some entropy from the last boot at
least.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists