> A little question: I used to believe that crypto software requires
> strong random source to generate key pairs, but this requirement in
> not true for session keys. You don't usually generate a key pair on
> a remote system, of course, so that's not a big issue. On low-entropy
> systems (headless servers) is /dev/urandom strong enough to generate
> session keys? I guess the little entropy collected by the system is
> enough to feed the crypto secure PRNG for /dev/urandom, is it correct?
I /think/ the answer is 'it depends'.
a) If 'low entropy' meant 'no entropy', then the seed would be the
same booting one system as on a black-hat identical system.
b) If you can obtain (one way or another) a session key, you can hijack
that session. Whether or not you can then intercept other sessions
depends in part what that session is (if, for instance, it is a root
ssh session...). If you reduce the search space for session keys, you
make being able to hijack a session considerably easier.
-- Alex Bligh - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Aug 23 2001 - 21:00:41 EST