From owner-freebsd-security@FreeBSD.ORG Wed Sep 12 11:34:37 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 765701065706 for ; Wed, 12 Sep 2012 11:34:37 +0000 (UTC) (envelope-from rwmaillists@googlemail.com) Received: from mail-ee0-f54.google.com (mail-ee0-f54.google.com [74.125.83.54]) by mx1.freebsd.org (Postfix) with ESMTP id B98698FC1D for ; Wed, 12 Sep 2012 11:34:36 +0000 (UTC) Received: by eeke52 with SMTP id e52so1277009eek.13 for ; Wed, 12 Sep 2012 04:34:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:x-mailer :mime-version:content-type:content-transfer-encoding; bh=L9vnUhkLX842hFslAO/SccM9Qm9v6j5N2sBzAdVOaNI=; b=LxUanEqFjH7iMOxmB/1kg+xtzrmYe5C7oX5bhEpCu9bnzTKTgsV2n2Gad+wCWv6iF1 eRmtaCxqGAZBAeqD4eyC1/eg4yeMNLPpNUvd9nkEtIdOo7P4IiTn3JvM6fw2/6citmPd 8fk+3Ob0a88/aWCxOvPGEh41NcHyUOoGcEEdzUkkusXKXbtn9DNsl6iPUs+ElRQpp5IQ OiidbICarfR2uiR0AXrAScclDmwS2Ro7PLQyZVgvdtiqM0+Dkb7H7h4tFmOCXVovZM8R 8ACLUn1tsey8efybNpsDGpE8cG0Xrc7xXAs8SI+uDRcpDaTrLLz6JcwoxVtuMd0GDjJg njmQ== Received: by 10.14.215.197 with SMTP id e45mr30204105eep.36.1347449675887; Wed, 12 Sep 2012 04:34:35 -0700 (PDT) Received: from gumby.homeunix.com (87-194-105-247.bethere.co.uk. [87.194.105.247]) by mx.google.com with ESMTPS id i41sm55393844eem.7.2012.09.12.04.34.34 (version=SSLv3 cipher=OTHER); Wed, 12 Sep 2012 04:34:34 -0700 (PDT) Date: Wed, 12 Sep 2012 12:34:32 +0100 From: RW To: freebsd-security@freebsd.org Message-ID: <20120912123432.79310a3c@gumby.homeunix.com> In-Reply-To: <504FC2BD.6070402@delphij.net> References: <20120911061530.GA77399@dragon.NUXI.org> <504EDC67.9070700@FreeBSD.org> <86sjao7q8c.fsf@ds4.des.no> <20120911205302.27484fd6@gumby.homeunix.com> <20120911200925.GA88456@dragon.NUXI.org> <504FA76A.5000209@delphij.net> <20120911211730.GB89188@dragon.NUXI.org> <504FAB87.3020701@delphij.net> <20120911215212.GA89515@dragon.NUXI.org> <504FBD15.8040907@delphij.net> <20120911224855.GE14077@x96.org> <504FC2BD.6070402@delphij.net> X-Mailer: Claws Mail 3.8.1 (GTK+ 2.24.6; amd64-portbld-freebsd8.3) Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 12 Sep 2012 11:34:37 -0000 On Tue, 11 Sep 2012 16:01:17 -0700 Xin Li wrote: > Well, 1:1 correspondence is when we fed full text to /dev/random, > which we don't, right? Only the first 4K gets consumed. So: > > Situation 1: we have 45K of plain text, and only first 4k is fed to > /dev/random at about 5 bits of entropy per byte; > > Situation 2: we have 45K of plain text, compress to e.g. 25K and only > first 4k is fed to /dev/random at more than 7.6 bits of entropy per > byte; > > Therefore I think Situation 2 is better than situation 1. It's marginally better, but still a very poor solution. You still lose most of the entropy, and you still end up with a substantial risk of there being no buffers available for /entropy. Situation 3: use a hash; all the entropy (up to an overkill amount) ends up in yarrow, most of the buffer space is left for /entropy. Compression solves neither of the two problem - hashing solves both.