Date: Mon, 18 Dec 2000 21:38:01 +0100
From: Jamie Lokier <lk@tantalophile.demon.co.uk>
David Schwartz wrote:
> The code does its best to estimate how much actual entropy it is gathering.
A potential weakness. The entropy estimator can be manipulated by
feeding data which looks random to the estimator, but which is in fact
not random at all.
Yes, absolutely. That's why you have to be careful before you make
changes to the kernel code to feed additional data to the estimator.
*Usually* relying on interrupt timing is safe, but not always. For
example, an adversary can observe, and in some cases control the
arrivial of network packets which control the network card's interrupt
timings. Is it enough to be able to predict with cpu-counter
resolution the inputs to the /dev/random pool? Maybe; it depends on how
paranoid you are.
Note that writing to /dev/random does *not* update the entropy estimate,
for this very reason. The assumption is that inputs to the entropy
estimator have to be trusted, and since /dev/random is typically
world-writeable, it is not so trusted.
- Ted
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Sat Dec 23 2000 - 21:00:23 EST