Re: /dev/urandom uses uninit bytes, leaks user data

From: David Newall
Date: Mon Dec 17 2007 - 22:13:20 EST

Next message: Herbert Xu: "Re: "ip neigh show" not showing arp cache entries?"
Previous message: Harvey Harrison: "[PATCH] x86: kprobes use stack_addr() macro"
In reply to: Theodore Tso: "Re: /dev/urandom uses uninit bytes, leaks user data"
Next in thread: Theodore Tso: "Re: /dev/urandom uses uninit bytes, leaks user data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Theodore Tso wrote:

On Mon, Dec 17, 2007 at 07:52:53PM -0500, Andy Lutomirski wrote:

It runs on a freshly booted machine (no DSA involved, so we're not automatically hosed), so an attacker knows the initial pool state.

Not just a freshly booted system. The system has to be a freshly
booted, AND freshly installed system. Normally you mix in a random
seed at boot time. And during the boot sequence, the block I/O will
be mixing randomness into the entropy pool, and as the user logs in,
the keyboard and mouse will be mixing more entropy into the pool. So
you'll have to assume that all entropy inputs have somehow been
disabled as well.

On a server, keyboard and mouse are rarely used. As you've described it, that leaves only the disk, and during the boot process, disk accesses and timing are somewhat predictable. Whether this is sufficient to break the RNG is (clearly) a matter of debate.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Herbert Xu: "Re: "ip neigh show" not showing arp cache entries?"
Previous message: Harvey Harrison: "[PATCH] x86: kprobes use stack_addr() macro"
In reply to: Theodore Tso: "Re: /dev/urandom uses uninit bytes, leaks user data"
Next in thread: Theodore Tso: "Re: /dev/urandom uses uninit bytes, leaks user data"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]