From owner-freebsd-security@FreeBSD.ORG Sun Sep 16 23:46:31 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 984B0106564A for ; Sun, 16 Sep 2012 23:46:31 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-we0-f182.google.com (mail-we0-f182.google.com [74.125.82.182]) by mx1.freebsd.org (Postfix) with ESMTP id 19B958FC0A for ; Sun, 16 Sep 2012 23:46:30 +0000 (UTC) Received: by weyx56 with SMTP id x56so4195490wey.13 for ; Sun, 16 Sep 2012 16:46:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=9nvD2kE+JW5FkGUwaVbBDx2pnvjWYpRb1PtUlhjusT8=; b=gBm6TtoaTy/R5DMpSpA1li9uRlP3+KbhHsz6BtTEY9jgaJxGwVM1JQDEKWvCU6UaAX wjCi5jAxOo3/rHKwAkuefWYy3slSJwxATeGix+0SbQMssNgmQE0dx5b+2sG1YHD79L9g TaFbkmECC72NdXKZCpJFEO3nWZlezB4Wv54rdCNQqi0/TE5bsmkWiQUJNSeD0euQiTRn Y7XYtgQtrTbOy3IMd1gXplizuvZKOgMW7In91iJv/tmu+srrbtS4hejraQXXnsHZSwan hvuORxFLjamx6ynIOsAi8VWyKcFQNJNvxBzhwUXFBOudcUcZUrf4C206jY+cTVRwbb0f XLnw== Received: by 10.216.24.140 with SMTP id x12mr5443354wex.101.1347839189626; Sun, 16 Sep 2012 16:46:29 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id h9sm14769335wiz.1.2012.09.16.16.46.27 (version=SSLv3 cipher=OTHER); Sun, 16 Sep 2012 16:46:28 -0700 (PDT) Date: Mon, 17 Sep 2012 00:46:26 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20120917004626.34cecf12@gumby.homeunix.com> In-Reply-To: References: <50453686.9090100@FreeBSD.org> <20120913052431.GA15052@dragon.NUXI.org> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: Proposed fix; stage 1 (Was: svn commit: r239569 - head/etc/rc.d) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 16 Sep 2012 23:46:31 -0000 On Sun, 16 Sep 2012 17:21:21 +0100 Mark Murray wrote: > Part 3 will be the addition of another choice of software PRNG; > Fortuna. Fortuna is MUCH more resilient to attack, Fortuna is much more resilient to types of attack that're probably never going to happen. Potentially Fortuna could be much worse against real world attacks because it spreads the entropy very thinly across the 32 (or more) pools. During the boot most entropy will go into pools that wont contribute until it's too late to be of use. I think Fortuna has a lot of merit, but it needs to be modified to be practical as a UNIX /dev/random. For example instead of looping each entropy source around the 32 pools, just loop up to the first pool that never been consumed.