[Cryptography] Timing of saving RNG state
Viktor Dukhovni
cryptography at dukhovni.org
Fri Jan 3 14:37:49 EST 2014
On Fri, Jan 03, 2014 at 01:01:16PM -0500, Theodore Ts'o wrote:
> So for example, it's a really good idea to seed Linux's /dev/random
> with some unpredictable randomness. We save some before system
> shutdown, and we reinitialize it with it on system startup. But if
> you are starting up a VM from scratch, initializing the seed file with
> a secret is a useful thing to do.
Speaking of the timing of RNG state save/restore, Nico Williams
observes that it would be prudent to save state not only on (clean)
shutdown, but also at startup, immediately after the previously
saved seed is loaded. That way after a power-outage, panic, ...
the seed does not start in the same state as on previous boot.
[ Clearly the saved seed must be derived and later restored in a
way that ensures that the resumed PRNG stream is not identical with
stream that will be generated from the state at the time of the
checkpoint. This is not a difficult requirement to meet. ]
--
Viktor.
More information about the cryptography
mailing list