From owner-freebsd-current Fri Jul 21 11: 3:48 2000 Delivered-To: freebsd-current@freebsd.org Received: from troutmask.apl.washington.edu (troutmask.apl.washington.edu [128.95.76.54]) by hub.freebsd.org (Postfix) with ESMTP id A6D1537BDDF; Fri, 21 Jul 2000 11:03:43 -0700 (PDT) (envelope-from sgk@troutmask.apl.washington.edu) Received: (from sgk@localhost) by troutmask.apl.washington.edu (8.9.3/8.9.3) id LAA61495; Fri, 21 Jul 2000 11:06:41 -0700 (PDT) (envelope-from sgk) From: Steve Kargl Message-Id: <200007211806.LAA61495@troutmask.apl.washington.edu> Subject: Re: randomdev entropy gathering is really weak In-Reply-To: <3978806C.8BD1EDD6@vangelderen.org> from "Jeroen C. van Gelderen" at "Jul 21, 2000 12:55:08 pm" To: "Jeroen C. van Gelderen" Date: Fri, 21 Jul 2000 11:06:41 -0700 (PDT) Cc: Dan Moschuk , Kris Kennaway , Mark Murray , current@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL61 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Jeroen C. van Gelderen wrote: > Dan Moschuk wrote: > > > > I don't see how. If the attacker has physical access to the machine, there > > are plenty worse things to be done than just reading the state of a PRNG. > > > > If the random device is initialized in single user mode, and the file is > > then unlink()ed, I don't see any problems with that. > > You generate a new PGP keypair and start using it. Your > co-worker reboots your machine afterwards and recovers > the PRNG state that happens to be stashed on disk. He > can then backtrack and potentially recover the exact same > random numbers that you used for your key. > I don't follow your logic. A normal boot/shutdown sequence would be: (1) power on (or shutdown -r) (2) in single-user mode (a) read /dev/saved_entropy into buffer (b) unlink /dev/saved_entropy (c) create /dev/saved_entropy with all zeros (d) test contents in buffer against all zeros (I) buffer contents is different from all zeros; initialize entropy pool (II) buffer contents matches all zeros; use a fall-back method. (3) go multi-user (4) normal shutdown (a) kick everybody off system (b) kill off daemons (c) umount all partitions except the partition with /dev (c) save entropy to /dev/saved_entropy (d) umount partition with /dev After a crash or panic, the system reboots. Step 2(c) has left a finger print to test for valid saved entropy. If all zeros are found use a suitable fallback method to stir the entropy. I don't see how co-worker can do what you suggest. And, if he can easily reboot your system, you have other problems to worry about. -- Steve To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message