Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 21 Jul 2000 11:06:41 -0700 (PDT)
From:      Steve Kargl <sgk@troutmask.apl.washington.edu>
To:        "Jeroen C. van Gelderen" <jeroen@vangelderen.org>
Cc:        Dan Moschuk <dan@FreeBSD.ORG>, Kris Kennaway <kris@FreeBSD.ORG>, Mark Murray <mark@grondar.za>, current@FreeBSD.ORG
Subject:   Re: randomdev entropy gathering is really weak
Message-ID:  <200007211806.LAA61495@troutmask.apl.washington.edu>
In-Reply-To: <3978806C.8BD1EDD6@vangelderen.org> from "Jeroen C. van Gelderen" at "Jul 21, 2000 12:55:08 pm"
next in thread | previous in thread | raw e-mail | index | archive | help 
Jeroen C. van Gelderen wrote:
> Dan Moschuk wrote:
> > 
> > I don't see how.  If the attacker has physical access to the machine, there
> > are plenty worse things to be done than just reading the state of a PRNG.
> > 
> > If the random device is initialized in single user mode, and the file is
> > then unlink()ed, I don't see any problems with that.
> 
> You generate a new PGP keypair and start using it. Your
> co-worker reboots your machine afterwards and recovers 
> the PRNG state that happens to be stashed on disk. He 
> can then backtrack and potentially recover the exact same
> random numbers that you used for your key.
> 

I don't follow your logic.

A normal boot/shutdown sequence would be:
  (1) power on (or shutdown -r)
  (2) in single-user mode
      (a) read /dev/saved_entropy into buffer
      (b) unlink /dev/saved_entropy
      (c) create /dev/saved_entropy with all zeros
      (d) test contents in buffer against all zeros
          (I)  buffer contents is different from all zeros;
               initialize entropy pool
          (II) buffer contents matches all zeros; use
               a fall-back method.
  (3) go multi-user   
  (4) normal shutdown
      (a) kick everybody off system
      (b) kill off daemons
      (c) umount all partitions except the partition with /dev
      (c) save entropy to /dev/saved_entropy
      (d) umount partition with /dev

After a crash or panic, the system reboots.  Step 2(c) has
left a finger print to test for valid saved entropy.  If all
zeros are found use a suitable fallback method to stir the
entropy.

I don't see how co-worker can do what you suggest.  And, if
he can easily reboot your system, you have other problems to
worry about.

-- 
Steve


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200007211806.LAA61495>