lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:	Mon, 6 Oct 2008 21:26:41 +0200
From:	Andi Kleen <andi@...stfloor.org>
To:	Kees Cook <kees.cook@...onical.com>
Cc:	Andi Kleen <andi@...stfloor.org>,
	Roland McGrath <roland@...hat.com>,
	linux-kernel@...r.kernel.org, Jakub Jelinek <jakub@...hat.com>,
	Ulrich Drepper <drepper@...hat.com>, libc-alpha@...rceware.org
Subject: Re: [PATCH] ELF: implement AT_RANDOM for future glibc use

> We're already using get_random* for stack, heap, and brk.  Also,
> get_random* uses the nonblocking pool, so this is the same as if userspace
> had tried to pull bytes out of /dev/urandom, which (as I understand it)

Yes exactly that's the problem. Think about it: do you really 
need the same cryptographic strength for your mmap placement
as you need for your SSL session keys?

And if you need true entropy for your session keys do you
still get it when it was all used for low security 
purposes first?

> > What you should instead do is to initialize some other cryptographic RNG
> > regularly and use the output of that.
> 
> Can you give me some examples of this?  I thought the nonblocking
> entropy pool was specifically for this purpose?

It's definitely not a "general purpose random number generator"
or even a "general purpose secure random number generator"

Since so many systems have poor entropy input /dev/urandom has generally 
replaced /dev/random for near all cryptographic software, so it's
just the new black.

-Andi

-- 
ak@...ux.intel.com
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ