Re: /dev/urandom uses uninit bytes, leaks user data

From: Bill Davidsen
Date: Wed Dec 19 2007 - 17:23:21 EST


David Newall wrote:
Theodore Tso wrote:
On Tue, Dec 18, 2007 at 01:43:28PM +1030, David Newall wrote:
On a server, keyboard and mouse are rarely used. As you've described it, that leaves only the disk, and during the boot process, disk accesses and timing are somewhat predictable. Whether this is sufficient to break the RNG is (clearly) a matter of debate.

In normal operaiton, entropy is accumlated on the system, extracted
via /dev/urandom at shutdown, and then loaded back into the system
when it boots up.

Thus, the entropy saved at shutdown can be known at boot-time. (You can examine the saved entropy on disk.)


If you have a server, the best thing you can do is use a hardware
random number generator, if it exists. Fortunately a number of
hardware platforms, such as IBM blades and Thinkpads, come with TPM
modules that include hardware RNG's. That's ultimately the best way
to solve these issues.

Just how random are they? Do they turn out to be quite predictable if you're IBM?

The typical RNG is a noise diode or other similar hardware using thermal noise, so it's unlikely that anyone but God could predict it. There are some USB devices which supposedly use radioactive decay, I'm unsure if that's better but I don't want to carry the dongle in my pants pocket. The hotbits network site uses radioactive decay to generate it's numbers.

--
Bill Davidsen <davidsen@xxxxxxx>
"We have more to fear from the bungling of the incompetent than from
the machinations of the wicked." - from Slashdot
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/