| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <3242570.OlG8jyNm4p@tauon> Date: Sun, 15 Sep 2013 13:12:15 +0200 From: Stephan Mueller <smueller@...onox.de> To: Theodore Ts'o <tytso@....edu> Cc: Jörn Engel <joern@...fs.org>, John Stultz <john.stultz@...aro.org>, LKML <linux-kernel@...r.kernel.org>, dave.taht@...ferbloat.net, Frederic Weisbecker <fweisbec@...il.com>, Thomas Gleixner <tglx@...utronix.de> Subject: Re: [PATCH] /dev/random: Insufficient of entropy on many architectures Am Freitag, 13. September 2013, 14:59:31 schrieb Theodore Ts'o: Hi Theodore, >On Fri, Sep 13, 2013 at 07:36:20AM +0200, Stephan Mueller wrote: > >However, if you are worried about a malicious entropy source, things >are a little bit different. Suppose RDRAND == AES(i++, NSA_KEY), >where the NSA doesn't know the starting value of i. But if it get can >get a raw RDRAND value (say, someone uses it without doing any >whitening as a session key or as a D-H parameter), it can decrypt the >output using the NSA_KEY, and then now that it knows i, it can brute >force break the RDRAND output, even if it's not entirely sure how many >times RDRAND has been called between that cleanb RDRAND value and the >RDRAND output it is trying to break. > >In *this* case, smearing out the value of RDRAND across the entropy >pool does help, becuase it makes it significantly harder to get a >clean RDRAND value to decrypt. Agreed. I was only talking about "well-behaved" entropy sources. > > >That being said, the much bigger problem that I'm worried about is not >necessarily a trojan'ed RDRAND, but rather on embedded ARM and MIPS >devices where we have unsufficient entropy, and on the first boot out >of the box, there is no random seed file that can be fixed in at boot Yes, my local MIPS-based router which is a very ubiquitous one in Germany (Fritz Box) does not seed /dev/random but yet starts using /dev/urandom during boot cycle. >time. Mixing in personalization information (serial numbers, MAC >addresses) which *hopefully* the NSA wouldn't know in the case of >pervasive, bulk surveillance, is a bit of a help. But it's certainly >no help against a direct, targetted attack. That is why I am hoping that the CPU jitter as harvested by my RNG will help as it delivers entropy on demand in a bandwidth where the initial seeding may not needed any more and we have sufficient entropy during boot sequence. > >Regards, > > - Ted Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists