[Cryptography] Timing of saving RNG state
Theodore Ts'o
tytso at mit.edu
Fri Jan 3 14:49:01 EST 2014
On Fri, Jan 03, 2014 at 07:37:49PM +0000, Viktor Dukhovni wrote:
>
> Speaking of the timing of RNG state save/restore, Nico Williams
> observes that it would be prudent to save state not only on (clean)
> shutdown, but also at startup, immediately after the previously
> saved seed is loaded. That way after a power-outage, panic, ...
> the seed does not start in the same state as on previous boot.
It's such a good idea I recommened it almost a decade ago in the Linux
kernel sources. :-)
* When any operating system starts up, it will go through a sequence
* of actions that are fairly predictable by an adversary, especially
* if the start-up does not involve interaction with a human operator.
* This reduces the actual number of bits of unpredictability in the
* entropy pool below the value in entropy_count. In order to
* counteract this effect, it helps to carry information in the
* entropy pool across shut-downs and start-ups. To do this, put the
* following lines an appropriate script which is run during the boot
* sequence:
*
* echo "Initializing random number generator..."
* random_seed=/var/run/random-seed
* # Carry a random seed from start-up to start-up
* # Load and then save the whole entropy pool
* if [ -f $random_seed ]; then
* cat $random_seed >/dev/urandom
* else
* touch $random_seed
* fi
* chmod 600 $random_seed
* dd if=/dev/urandom of=$random_seed count=1 bs=512
And it's such a good idea Debian and Ubuntu's /etc/init.d/urandom also
does this.
- Ted
More information about the cryptography
mailing list