[Cryptography] TRNG related review: rngd and /dev/random
Bill Cox
waywardgeek at gmail.com
Wed Jan 20 11:09:03 EST 2016
On Wed, Jan 20, 2016 at 6:01 AM, Jason Cooper <cryptography at lakedaemon.net>
wrote:
> This isn't a realistic scenario. An attacker "who knows the initial
> state of the entropy pool (which is a file on disk)" either has physical
> access to the system or root. In either case, it's game over, she can
> just read the keys.
I may be wrong about this, but the threat-case where I think this matters
is when an attacker gets access to the machine, learns the state of the
entropy pool, and then loses access. Can the machine recover?
If only 1 random bit per second is fed into /dev/random, but keys and IVs
are extracted from /dev/urandom at a bit-rate far higher than this, and if
the attacker remains as an eavesdropper on the network and can see the
results of every read to /dev/urandom, then the attacker needs only to make
a few guesses per second to keep the attacker's copy of the entropy pool
synced to the server's. Is this right?
Bill
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160120/e7eafeca/attachment.html>
More information about the cryptography
mailing list