Re: new /dev/random

From: Paul Rubin (//phr.cx_at_NOSPAM.invalid)
Date: 10/07/04

Date: 07 Oct 2004 12:06:57 -0700

Ernst Lippe <ernstl-at-planet-dot-nl@ignore.this> writes:
> In theory this secret IV is an interesting idea, but I don't think
> that it will help much. Most Linux boxes don't have their own
> self-compiled kernel, but use some common distribution (either a
> standard commercial one or some in-house version). When a large user
> group has the same IV there is no real advantage, because the
> machines within this group will still show identical behaviour.
> Giving each computer its own version of the random binary makes life
> difficult for the system administrator (in other words they won't
> support it).

I'm imagining something like a server farm or supercomputer cluster
where there may by lots of machines but with centralized
administration. It's fine if they all have the same static IV that's
accessible to legitimate users, as long as the IV is kept secret from
internet attackers. Don't forget, too, that once the system has been
running for a while, there will be enough real entropy in it that
any insecurity from the IV leaking will have gone away.

In the case of an individual user running a precompiled distro on
their desktop, the installation script can put a second IV into the
bootup command, as described elsewhere.

> Your other suggestion to hunt around the system for every possible
> little bit of entropy seems very sound, it's just that I don't see
> any advantage in a secret IV.

With a secret IV, you don't have to hunt around for every possible
little bit of entropy; you just need enough to get a unique nonce.
For example, using the time-of-day plus the MAC address should yield a
unique nonce.