[Cryptography] What's a Plausible Attack On Random Number Generation?

[Yaron Sheffer]

On 2013-11-03 01:36, John Denker wrote:
> As one possible answer to the question in the Subject: line
> of this thread:  The #1 all-time most-plausible method for
> attacking a PRNG starts by finding out how badly initialized
> the thing is.
>
> Some actual observed facts:
>                                     prior
>       startup script                #bits
>     ---------------------           -----
>     (mountall)                      18816
>     (mounted-run)                   21888
>     (sshd server)                   35616
>     (network-interface : lo)        55968
>     (network-interface : eth0)      68832
>     (urandom)                       79168
>
> In the left column, we have the description of a startup script,
> as observed on an ordinary Linux system.  In the rightmost column
> we have the number of bits extracted from the kernel PRNG before
> said script gets invoked.
>
Thank you, this is great information (if only for some distros, as Ted 
noted).

I personally think the following three are better alternatives than a 
DHCP-based solution, however they are not sufficiently widespread and so 
leave enough of a hole that DHCP could plug:

1. Pre-provisioning of a random, unique, secret seed by the manufacturer,
2. Hardware sources, such as RdRand.
3. Obtaining a seed from the host, in virtual environment.

#1 is rarely done, #3 is only applicable to some environments (and not 
even to all public clouds), and #2 does not apply to all hardware.

I agree that DHCP alone will not solve the problem and that startup 
processes will need to be rearranged in some cases, or at least the 
important consumers (sshd) will need to hold off before they start 
requesting entropy.

Thanks,
	Yaron