[Cryptography] where shall we put the random-seed?

Theodore Ts'o tytso at mit.edu
Fri Jan 6 17:18:19 EST 2017


On Fri, Jan 06, 2017 at 12:46:13AM -0500, Kevin W. Wall wrote:
> 
> Pardon my ignorance of your complete threat model here, but if an attacker
> manages to gain root access during this stage, is it not already game over?
> (Well maybe not if using SELinux and suitable policies, but otherwise, it
> sure seems like it is.)

The basic thinking is that if the attacker manages to get root access,
it is almost game over going *forward*, but random session keys that
were generated *before* the attacker manages to gain root access
should protected as much as possible.  For that reason, we shouldn't
make life easier by making the state of the random-seed file avalable
to the attacker.

I agree with you that once privilege escalation has happened, it
is.... unlikely that it will be possible to resecure the system short
of doing a complete reinstall of the system (and that's assuming the
attacker hasn't manage to compromise, say, the HDD firmware).

It is *possible* that there could be an attack that allows the
internal state of the crypto random number generator to be exposed,
but for the attacker to not get any other access, so various
constructions that are designed to allow the system to "recover" as
quickly as possible after an internal state exposure aren't
*completely* pointless, but yes, if the attacker really has gained
full root access, it's game over.

Cheers,

					- Ted


More information about the cryptography mailing list