[Cryptography] TRNG related review: rngd and /dev/random

Bill Cox waywardgeek at gmail.com
Wed Jan 20 16:52:22 EST 2016 

On Wed, Jan 20, 2016 at 1:05 PM, Theodore Ts'o <tytso at mit.edu> wrote:

> On Wed, Jan 20, 2016 at 08:09:03AM -0800, Bill Cox wrote:
> >
> > I may be wrong about this, but the threat-case where I think this matters
> > is when an attacker gets access to the machine, learns the state of the
> > entropy pool, and then loses access.  Can the machine recover?
> >
> > If only 1 random bit per second is fed into /dev/random, but keys and IVs
> > are extracted from /dev/urandom at a bit-rate far higher than this, and
> if
> > the attacker remains as an eavesdropper on the network and can see the
> > results of every read to /dev/urandom, then the attacker needs only to
> make
> > a few guesses per second to keep the attacker's copy of the entropy pool
> > synced to the server's.  Is this right?
>
> Sure, but note the caveat that the attack has to see the results of
> "every read to /dev/urandom".  This might be true for IV's, but it
> would not be true for session keys, unless you have much, much larger
> problems.  The moment something unknown to the attacker is pulled ---
> say, a 128 bit session key the number of possible entropy pool states
> that the attacker would have to validate explodes, and it becomes
> roughly equivalent to a brute force attack of said 128-bit session
> key.  (Worse, actually, since we throw away half of the bits so the
> trying to maintain knowledge of the entropy pool sate after extracting
> 128-bits not known to the attacker becomes equivalent to a 256 bit
> brute force attack.)
>
>                                    - Ted
>

I guess if this were a significant attack vector, someone would patch it.
It is simply a well known minor flaw  that makes my list, and for which I
code around by writing a bunch of random bits all at once rather than
trickling them in.  Rngd gets this detail right, and other entropy
gatherers should be aware of it.

Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160120/d07acf78/attachment.html>

More information about the cryptography mailing list