[Cryptography] randomness +- entropy
Hannes Frederic Sowa
hannes at stressinduktion.org
Thu Nov 7 13:48:29 EST 2013
On Thu, Nov 07, 2013 at 11:41:02AM +0200, Yaron Sheffer wrote:
> >On Wed, Nov 06, 2013 at 12:38:32AM +0100, Hannes Frederic Sowa wrote:
> >>
> >>Why not always print a warning once if someone tried to extract
> >>randomness before the pool was fully initialized? I would even consider
> >>adding a WARN_ONCE there so that it is really visible to the user. Maybe
> >>kernelooops.org or some other distro infrastructure could uncover which
> >>devices have their nonblocking random pool initialized too late.
> >
> >What, you mean like this?
> >
> >http://git.kernel.org/cgit/linux/kernel/git/tytso/random.git/commit/?h=dev&id=392a546dc8368d1745f9891ef3f8f7c380de8650
> >
> >Actually, things aren't too bad. The primary problematical caller
> >that I noted was:
> >
> >random: rc80211_minstrel_ht_init+0x2b/0x6a get_random_bytes called with 23
> >bits of entropy available
> >
> >... however, this looks like it's not a security problem, since as
> >near as I can tell the code in question doesn't actually need
> >cryptographic randomness. It simply dates back to before
> >prandum_u32() existed in the kernel. (We have a similar use case in
> >ext4, where we're we only need a PRNG, and not a CSRNG. Although
> >fortunately, by the time the file system is remounted r/w, urandom is
> >typically already initialized, so we're not actually triggering this
> >warning.)
> >
>
> When this Minstrel guy reads urandom (which only has 23 bits of entropy
> at the time), do you reset the entropy estimate to 0? If you don't, and
> Minstrel broadcasts the random value somehow (in this case, as a timing
> value) an attacker can easily discover the first 23 bits of entropy
> which would make guessing the PRNG value of the next consumer much easier.
No, it is not done yet. I think you are right and we should reseed the prng at
that point in time.
More information about the cryptography
mailing list