/dev/random and virtual systems

[Thomas]

Hi,
we are using haveged in our VMs to feed the random pool and
it seems to work good (means: statistical verification of
the output looks good, nearly 0 entropy overestimation, but
we never correlated output from cloned VMs).

I assume feeding the VMs from the host system can be problematic
because the host system itself often doesn't have enough entropy.
Much entropy is needed today for protocolls, session IDs and the
elf_loader(!).

Cheerio
Thomas

Am Montag 02 August 2010, 21:38:10 schrieb Yaron Sheffer:
> Hi,
> 
> the interesting thread on seeding and reseeding /dev/random did not
> mention that many of the most problematic systems in this respect are
> virtual machines. Such machines (when used for "cloud computing") are
> not only servers, so have few sources of true and hard-to-observe
> entropy. Often the are cloned from snapshots of a single virtual
> machine, i.e. many VMs start life with one common RNG state, that
> doesn't even know that it's a clone.
> 
> In addition to the mitigations that were discussed on the list, such
> machines could benefit from seeding /dev/random (or periodically
> reseeding it) from the *host machine's* RNG. This is one thing that's
> guaranteed to be different between VM instances. So my question to the
> list: is this useful? Is this doable with popular systems (e.g. Linux
> running on VMWare or VirtualBox)? Is this actually being done?
> 
> Thanks,
>      Yaron
> 
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com