Date: Sun, 27 Aug 2000 01:44:51 -0500 From: Adam Back <adam@cypherspace.org> To: wollman@khavrinen.lcs.mit.edu Cc: freebsd-security@FreeBSD.ORG Subject: Re: yarrow & /dev/random Message-ID: <200008270644.BAA07124@cypherspace.org> In-Reply-To: <200008270126.VAA70297@khavrinen.lcs.mit.edu> (message from Garrett Wollman on Sat, 26 Aug 2000 21:26:21 -0400 (EDT))
next in thread | previous in thread | raw e-mail | index | archive | help
Garret Wollman writes: > In most of the applications where people really care (i.e., > servers), there is no mouse or keyboard input. This is a generic problem. I posted this in a follow-up message on freebsd-current: | Unattended servers are a problem alright. | | One thing you can do is if your server has any private keys -- and it | generally will have if it's doing crypto -- is mix the private key | into the random pool along with the curren time. As the attacker | doesn't know your private key (if he does it's game over anyway), you | get a /dev/urandom which is secure. | | (If you don't like the `feel' of putting your private key into | /dev/urandom as a sample, run it through a one-way hash function | first). | | The other thing you can do is mix in encrypted IVs people connecting | to your server send you -- for example SSL, SSH, and PGP and so on | tend to do this. It can't hurt because you're only mixing, and you | can't destroy entropy with a good mixing function; and if you presume | the collection of people who connect to you aren't colluding it helps. | (If there is only one person communicating with you, it doesn't matter | anyway, because they have their own plaintext.) | | We should encourage people to do these two things. An additional comment is that if you care, you force the person installing the software to generate some input during installation before server key generation. Also you still get disk interrupts if the machine has a disk -- for what they're worth. Adam To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200008270644.BAA07124>