lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <1280724732.18586.28.camel@calx>
Date:	Sun, 01 Aug 2010 23:52:12 -0500
From:	Matt Mackall <mpm@...enic.com>
To:	Christoph Anton Mitterer <calestyo@...entia.net>
Cc:	Henrique de Moraes Holschuh <hmh@...ian.org>,
	Herbert Xu <herbert@...dor.apana.org.au>,
	Theodore Ts'o <tytso@....edu>, linux-kernel@...r.kernel.org
Subject: Re: [Pkg-sysvinit-devel] Bug#587665: Safety of early boot init of
 /dev/random seed

On Mon, 2010-08-02 at 00:52 +0200, Christoph Anton Mitterer wrote:
> Hey Matt...
> 
> May I ask you a follow-up question on that,... which is however not so
> much Debian-init-related, I guess.
> 
> 
> On Mon, 2010-07-05 at 13:40 -0500, Matt Mackall wrote:
> > > > 1. How much data of unknown quality can we feed the random pool at boot,
> > > >    before it causes damage (i.e. what is the threshold where we violate the
> > > >    "you are not goint to be any worse than you were before" rule) ?
> > 
> > There is no limit. The mixing operations are computationally reversible,
> > which guarantees that no unknown degrees of freedom are clobbered when
> > mixing known data.
> > 
> > > > 2. How dangerous it is to feed the pool with stale seed data in the next
> > > >    boot (i.e. in a failure mode where we do not regenerate the seed file) ?
> > 
> > Not at all.
> 
> Are the above to statements also true for possibly "evil" random data?

Yes. Mixing in known values will not cause the contents of the pool to
become 'more known'. This is what I mean about reversible mixing
(without getting too technical): you can mix in a billion known values,
then mathematically reverse the billion mixing operations to return to
the original unknown state. Which means that the state after a billion
operations has just as much unknown-ness as it did when it started.

Here's the simplest version: consider that you've got a single unknown
bit X. Then you "mix" in Y1...Y9999 with X'=X^Y (reversible with
X=X'^Y). Because you don't know anything about X beforehand, no number
or pattern of bits Yn is going to improve your guess of the final value
of X - after each operation, it's still exactly as unguessable as
before.

Crucially, though, if you start with a _known_ value and mix in
_unknowns_ (what you're usually trying to do), the resulting state's
unknown-ness increases. With a good mixing function (and ours is pretty
decent), repeated addition of unknown values rapidly saturates the
unknown-ness of the pool.

-- 
Mathematics is the supreme nostalgia of our time.


--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ