[Cryptography] TRNG related review: rngd and /dev/random
Jason Cooper
cryptography at lakedaemon.net
Wed Jan 20 09:01:59 EST 2016
+Ted
Bill,
This is a great addition to your previous analysis. I'll keep it to two
comments, below:
On Tue, Jan 19, 2016 at 05:37:28PM -0800, Bill Cox wrote:
> - If entropy is trickled in, and an attacker who knows the initial state of
> the entropy pool (which is a file on disk) and all the public keys of all
> pairs generated from /dev/random, she can easily guess all the private keys
This isn't a realistic scenario. An attacker "who knows the initial
state of the entropy pool (which is a file on disk)" either has physical
access to the system or root. In either case, it's game over, she can
just read the keys.
> - Embedded systems such as DD-WRT have had insecure keys due to such issues
> (though I think the DD-WRT folks bear much of the blame in this case)
No. This is not OS-specific. Nor kernel-specific. In order to gather
entropy from the environment, you need a high-res timer. ARM doesn't
provide that on all SoCs. Ted has been asking for this for years.
Perhaps he's had progress recently?
thx,
Jason.
More information about the cryptography
mailing list