Re: Entropy Pool Contents
From: Kyle Moffett
Date: Mon Nov 27 2006 - 16:52:45 EST
On Nov 27, 2006, at 15:40:16, David Wagner wrote:
Phillip Susi wrote:
David Wagner wrote:
Nope, I don't think so. If they could, that would be a security
hole, but /dev/{,u}random was designed to try to make this
impossible, assuming the cryptographic algorithms are secure.
Actually, our current /dev/random implementation is secure even if
the cryptographic algorithms can be broken under traditional
circumstances. Essentially /dev/random will refuse to output any
more data well before enough could be revealed to predict the current
pool state, such that it is fairly secure even in the event of total
failure of the cryptographic primatives.
After all, some of the entropy sources come from untrusted
sources and could be manipulated by an external adversary who
doesn't have any account on your machine (root or non-root), so
the scheme has to be secure against introduction of maliciously
chosen samples in any event.
The way the /dev/random pool works is that writes are always
guaranteed to add entropy to the pool (or at least never remove it),
even if someone runs "dd if=/dev/zero of=/dev/random". The initial
state for any given write is secure, and when hashing a random value
for which a significant part of the state has not even been
theoretically revealed with a known value, the result is still
random. Even beyond that, the random pool also hashes the current
value of the cycle-counter or time of day into the pool with each
call, adding a bit of extra entropy in any case. The same hashing of
the time of day also occurs on reads.
Assuming it works because it would be a bug if it didn't is a
logical fallacy. Either the new entropy pool is guaranteed to be
improved by injecting data or it isn't. If it is, then only root
should be allowed to inject data. If it isn't, then the entropy
estimate should increase when the pool is stirred.
Well, actually the entropy pool is guaranteed not to lose entropy
when it is stirred with data, but the whole point is to ensure that
no userspace program *ever* has enough knowledge of the state of the
pool to even begin a theoretical attack against past or future random
values. As a result it is perfectly OK for programs to dump whatever
data they want into the random pool as extra security for _itself_,
but the kernel does not trust it as extra security for itself. Only
root may inject guaranteed entropy and even then only using a
specific ioctl, but any program may stir up the entropy pool however
much it likes.
I am satisfied that it is safe to feed in entropy samples from
malicious sources, as long as you don't bump up the entropy counter
when you do so. Doing so can't do any harm, and cannot reduce the
entropy in the pool. However, there is no guarantee that it will
increase the entropy. If the adversary knows what bytes you are
feeding into the pool, then it doesn't increase the entropy count,
and the entropy estimate should not be increased.
Exactly.
Note that, in any event, the vast majority of applications should
be using /dev/urandom (not /dev/random!), so in an ideal world,
most of these issues should be pretty much irrelevant to the vast
majority of applications. Sadly, in practice many applications
wrongly use /dev/random when they really should be using /dev/
urandom, either out of ignorance, or because of serious flaws in
the /dev/random man page.
Precisely. Personally I generate my random passwords using a little
perl script reading from /dev/random (as opposed to /dev/urandom) but
that's more due to personal paranoia than any practical reason.
When generating long-term cryptographic private keys, however, you
*should* use /dev/random as it provides better guarantees about
theoretical randomness security than does /dev/urandom. Such
guarantees are useful when the random data will be used as a
fundamental cornerstone of data security for a server or network
(think your root CA certificate or HTTPS certificate for your million-
dollar-per-year web store).
Cheers,
Kyle Moffett
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/