[Cryptography] RNG design principles

Ralf Senderek crypto at senderek.ie
Sun Nov 27 10:08:24 EST 2016

On Sun, 27 Nov 2016, John Denker wrote:

> On 11/27/2016 06:00 AM, Ralf Senderek wrote:
>>> is [there] a better way to secure
>>> the secret seed than to store it in the file system? 
> It needs to be secure.  Putting it outside the filesystem is an
> odd way to make it secure.  If the existing permissions system
> is not good enough, we have already forfeited the game, in ways
> unrelated to randomness.

This is IMHO a (common) over-simplification, though.
If the threat model includes faulty root code on the endpoint
device it may be prudent to limit the lifetime of the stored
secret seed to the very first milliseconds of the boot process,
so that kernel code can access it and then unmount it from the
ordinary file system. This way it would need full root access
permission (i.e running arbitrary code as root)
to re-install the secret information after the boot
process has finished. This can be a protection in case any
daemon (running as root) accidentally acquires read access
to a file because of an unfixed vulnerability, but the same
process is still not able to re-install the information that
was available to kernel code in the first second of the boot

Storing this information even in a separate partition (or
similar) would make sense, because the game is not over,
just because some code can be tricked into reading a
root-read-only file.

The Crypto Bone does something similar, though later in the
boot process with the filesystem already present.

> The permissions system is easier to
> use than whatever tools would be used to store stuff outside
> the filesystem.  In either case, attention to detail is required.

Easier yes, but not as secure.


More information about the cryptography mailing list