[Cryptography] [RNG] on RNGs, VM state, rollback, etc.

Adam Back adam at cypherspace.org
Sat Oct 19 12:36:33 EDT 2013


On Sat, Oct 19, 2013 at 10:33:34AM -0400, Theodore Ts'o wrote:
>At the risk of repeating myself, we made a lot of changes to the
>/dev/random code base when we received a preprint of the Mining your
>P's and Q's paper (patches went into mainline the first week in July,
>and got propagated to older kernels via the stable kernel trees about
>2 weeks later; the paper was published at Usenix Security in August.)
>
>One of them was to do precisely this --- /dev/urandom now mixes in
>salting information (ethernet MAC addresses, etc, via the new
>interface add_device_randomness).  Zero entropy is indeed assessed,
>and the main goal is to avoid the trivially easy case of shared primes
>in the case where we fail to gather enough entropy.

I know its obvious and you mentioned the risks, but this is in principle a
band-aid or worse; it gives the illusion of entropy in the face of actually
no entropy to an attacker who can readily obtain the serial numbers in
question (eg because the MAC is broadcast on the LAN) or simply brute forced
because the guid is while large, highly structured and sparse.

It would seem safer to fail/stop and depand user action.  I know thats not a
popular decision in a distro/package/boot sequence, but churning out
0-entropy keys disguised as having entropy being E_0( mac ) and such analogs
is a bad outcome and wont be observable via identical P, Q key searches.

People are seemingly in a hurry, or dont care much, dont understan when it
come to packaging and thinking about security.

Adam


More information about the cryptography mailing list