Re: /dev/random is probably not

From: Jack Lloyd (lloyd_at_randombit.net)
Date: 07/05/05

  • Next message: c0ntexb_at_gmail.com: "McAfee Intrushield IPS Abuse"
    Date: Tue, 5 Jul 2005 12:45:14 -0400
    To: bugtraq@securityfocus.com
    
    

    On Sun, Jul 03, 2005 at 12:39:30PM -0700, Zow Terry Brugger wrote:

    > It's been a while since I looked at the /dev/random design on Linux (probably
    > the early 2.4 days), however one thing that was quite clear was that they did
    > not use any network I/O as entropy sources because an attacker, particularly
    > one that already had control of other machines on the same LAN segment, could
    > have a high degree of control over that source. I would be most interested if
    > that has changed since the last time I looked at it.

    ISTR that grsecurity has toggles that enable gathering entropy from network
    traffic. Assuming the PRNG is any good, it shouldn't matter if an attacker can
    manipulate such timings, because (by definition) a good PRNG will still behave
    correctly even if an attacker does feed it lots of deliberately bad data (as
    long as the PRNG also has been fed with a sufficient amount of unguessable
    'good' input as well, of course).

    [...]
    > > Windows family OSs.
    >
    > All I can observe here is that F-secure SSH still (at least the most recent
    > version I've used) collects its own entropy when running on Win2K, which
    > indicates to me that either they want to operate the same on all Windows
    > versions (as memory serves, Win95/98 does not have a RNG), or that Win2k does
    > not have a suitable RNG.

    Only Win95 pre OSR2 is missing CryptoAPI (and specifically CryptGenRandom).
    However, it's my understanding that early versions of CryptGenRandom were not
    that great.

    -Jack


  • Next message: c0ntexb_at_gmail.com: "McAfee Intrushield IPS Abuse"

    Relevant Pages

    • Re: /dev/random
      ... Sorry - because I do not think it is wise to trust the h/w prng so ... much we discard other entropy. ... Anyway mixing several entropy sources was never acceptable. ... And let me stress it - randomness always was a crucial point. ...
      (freebsd-arch)
    • Re: /dev/random
      ... Sorry - because I do not think it is wise to trust the h/w prng so ... much we discard other entropy. ... Throughout this thread people have been mixing up entropy sources, ... You can't directly compare "yarrow" vs. Padlock without comparing both ...
      (freebsd-arch)
    • Re: /dev/random
      ... Sorry - because I do not think it is wise to trust the h/w prng so ... much we discard other entropy. ... You can't directly compare "yarrow" vs. Padlock without comparing both ... bad idea to trust it so much that we don't use other entropy sources ...
      (freebsd-arch)
    • Re: new /dev/random
      ... It is more a hybrid between a PRNG and a RNG, ... Actually, that is incorrect, /dev/urandom periodically draws from the ... entropy sources just as /dev/random does. ...
      (sci.crypt)
    • Re: new /dev/random
      ... For a proper PRNG, with the assumption that the algorithms are robust, ... is said to contain 40 bits of entropy if I could, ... If I want to attack a stream of 56 bits produced by a PRNG with a seed ... RNG resistance therefore relies on the same two classes of assumptions ...
      (sci.crypt)