customizing Live CD images (was: urandom etc.)
John Denker
jsd at av8n.com
Tue Aug 3 01:47:34 EDT 2010
We have been discussing the importance of a unique random-seed
file each system. This is important even forsystems that boot
from read-only media such as CD.
To make this somewhat more practical, I have written a script
to remix a .iso image so as to add one or more last-minute files.
The leading application (but probably not the only application)
is adding random-seed files.
The script can be found at
http://www.av8n.com/computer/fixup-live-cd
This version is literally two orders of magnitude more
efficient than the rough pre-alpha version that I put up
yesterday ... and it solves a more general problem, insofar
as random-seed files are not the only things it can handle.
Early-boot software is outside my zone of comfort, let
alone expertise, so I reckon somebody who is friends with
Casper could make further improvements ... but at least
for now this script serves as an "existence proof" to show
that
a) the PRNG situation is not hopeless, even for read-only
media; and
b) it is possible to remix Live CD images automatically
and somewhat efficiently.
I think by taking two steps we can achieve a worthwhile
improvement in security:
-- each system should have its own unique random-seed
file, with contents not known to the attackers; and
-- the init.d/urandom script should seed the PRNG
using "date +%s.%N" (as well as the random-seed file).
Neither step is worth nearly as much without the other,
but the two of them together seem quite worthwhile.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list