lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4E67E1B0.2040309@atsec.com>
Date:	Wed, 07 Sep 2011 23:27:12 +0200
From:	Stephan Mueller <stephan.mueller@...ec.com>
To:	Ted Ts'o <tytso@....edu>, Steve Grubb <sgrubb@...hat.com>,
	Jarod Wilson <jarod@...hat.com>,
	Sasha Levin <levinsasha928@...il.com>,
	linux-crypto@...r.kernel.org, Matt Mackall <mpm@...enic.com>,
	Neil Horman <nhorman@...hat.com>,
	Herbert Xu <herbert.xu@...hat.com>,
	lkml <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] random: add blocking facility to urandom

On 07.09.2011 23:18:58, +0200, Ted Ts'o <tytso@....edu> wrote:

Hi Ted,

> On Wed, Sep 07, 2011 at 04:02:24PM -0400, Steve Grubb wrote:
>>
>> When a system is underattack, do you really want to be using a PRNG
>> for anything like seeding openssl?  Because a PRNG is what urandom
>> degrades into when its attacked.
> 
> This is not technically true.  urandom degrades into a CRNG
> (cryptographic random number generator).  In fact what most security
> experts recommend is to take a small amount of security, and then use
> that to seed a CRNG.

Correct.

However, a CRNG shall be reseeded once in a while - see standard crypto
libraries and their CRNGs (OpenSSL being a notable exception here). And
that is what this entire discussion is all about: to ensure that the
CRNG is reseeded with entropy, eventually.

> 
>> If enough bytes are read that an
>> attacker can guess the internal state of the RNG, do you really want
>> it seeding a openssh session?
> 
> In a cryptographic random number generator, there is a either a
> cryptographic hash or a encryption algorithm at the core.  So you
> would need a huge amounts of bytes, and then you would have to carry
> out an attack on the cryptographic core.

Correct.

And exactly that is the concern from organizations like BSI. Their
cryptographer's concern is that due to the volume of data that you can
extract from /dev/urandom, you may find cycles or patterns that increase
the probability to guess the next random value compared to brute force
attack. Note, it is all about probabilities.
> 
> If this is the basis for the patch, then we should definitely NACK it.
> It sounds like snake oil fear mongering.
> 
> 					- Ted
> 
> 
> 


-- 
Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ