[Cryptography] Random numbers only once

Darren Moffat darren at nessieroo.com
Thu Feb 6 04:15:15 EST 2014


On 05/02/2014 21:45, John Denker wrote:
> That's the wrong explanation.  Compromise has got nothing to do with it.
>
> On linux systems, the state file in question gets written using bits
> from /dev/urandom (*not* /dev/random).  Reference:
>     /etc/init.d/urandom line 76
>
> As such, on typical systems over most of the last many years, the
> state file contains zero entropy.  It would be quite ludicrous
> to reboot and load this state file and credit to the system more
> entropy afterward than before.
>
> Let's be clear:  No entropy credit is the right answer because of
> no entropy ... for reasons having nothing to do with compromise.

Which is exactly what we do in Solaris (and what Illumos etc do as 
well).  Any writes to /dev/random or /dev/urandom or their equivalents 
that come over /dev/crypto with the appropriate ioctl (for emulation of 
PKCS#11 semantics) are allowed to be mixed into the pool (assuming the 
callers cred has sufficient privilege) but are considered to contribute 
exact 0 entropy credit to the pool state.

Solaris unlike Linux also doesn't expose any stats about the internal 
state of the whole rng subsystem to userspace.  The only way to find 
that out is being root with all privilege and using the kernel 
debugger.   Are we being too paranoid or should we expose to user space 
the current stats about what we believe the amount of entropy etc is ?

> Currently typical systems make no attempt to store entropy.  This
> would not be hard to do;  they just don't do it.

We don't do it on Solaris, however as part of our just completed FIPS 
140-2 validation NIST asked is if we could do that. The reason they 
asked was they wanted to be sure that there was sufficient entropy 
available for when the first parts of the system start calling on a FIPS 
186 PRNG to do key generation.

While I've written up an example system service that does this have no 
plans of integrating it into Solaris as default part of the product.

Given how rarely many server systems reboot and that fact that most 
critical key generation is more likely to be done on the first one or 
two boots afer intial install I think this is pointless anyway.

--
Darren J Moffat

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com



More information about the cryptography mailing list