[Cryptography] TRNG related review: rngd and /dev/random
Theodore Ts'o
tytso at mit.edu
Wed Jan 20 16:05:50 EST 2016
On Wed, Jan 20, 2016 at 08:09:03AM -0800, Bill Cox wrote:
>
> I may be wrong about this, but the threat-case where I think this matters
> is when an attacker gets access to the machine, learns the state of the
> entropy pool, and then loses access. Can the machine recover?
>
> If only 1 random bit per second is fed into /dev/random, but keys and IVs
> are extracted from /dev/urandom at a bit-rate far higher than this, and if
> the attacker remains as an eavesdropper on the network and can see the
> results of every read to /dev/urandom, then the attacker needs only to make
> a few guesses per second to keep the attacker's copy of the entropy pool
> synced to the server's. Is this right?
Sure, but note the caveat that the attack has to see the results of
"every read to /dev/urandom". This might be true for IV's, but it
would not be true for session keys, unless you have much, much larger
problems. The moment something unknown to the attacker is pulled ---
say, a 128 bit session key the number of possible entropy pool states
that the attacker would have to validate explodes, and it becomes
roughly equivalent to a brute force attack of said 128-bit session
key. (Worse, actually, since we throw away half of the bits so the
trying to maintain knowledge of the entropy pool sate after extracting
128-bits not known to the attacker becomes equivalent to a 256 bit
brute force attack.)
- Ted
More information about the cryptography
mailing list