From owner-freebsd-security@FreeBSD.ORG Mon Sep 10 20:41:24 2012 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx2.freebsd.org (mx2.freebsd.org [IPv6:2001:4f8:fff6::35]) by hub.freebsd.org (Postfix) with ESMTP id 9C517106566B; Mon, 10 Sep 2012 20:41:24 +0000 (UTC) (envelope-from dougb@FreeBSD.org) Received: from [127.0.0.1] (hub.freebsd.org [IPv6:2001:4f8:fff6::36]) by mx2.freebsd.org (Postfix) with ESMTP id DA33714DAFC; Mon, 10 Sep 2012 20:40:28 +0000 (UTC) Message-ID: <504E503C.7020903@FreeBSD.org> Date: Mon, 10 Sep 2012 13:40:28 -0700 From: Doug Barton Organization: http://www.FreeBSD.org/ User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:15.0) Gecko/20120824 Thunderbird/15.0 MIME-Version: 1.0 To: Arthur Mesh References: <20120906174247.GB13179@dragon.NUXI.org> <20120906230157.5307a21f@gumby.homeunix.com> <20120906224703.GD89120@x96.org> <20120907015157.GA29497@server.rulingia.com> <20120910135218.GA68128@dragon.NUXI.org> <504E343A.4020802@FreeBSD.org> <86pq5tu1zr.fsf@ds4.des.no> <504E3DAB.3090000@FreeBSD.org> <86fw6pu0l0.fsf@ds4.des.no> <504E4765.1020909@FreeBSD.org> <20120910203210.GB90314@x96.org> In-Reply-To: <20120910203210.GB90314@x96.org> X-Enigmail-Version: 1.4.4 OpenPGP: id=1A1ABC84 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: freebsd-rc@freebsd.org, freebsd-security@freebsd.org, RW , Dag-Erling Sm?rgrav , Xin Li Subject: Re: svn commit: r239569 - head/etc/rc.d X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Sep 2012 20:41:24 -0000 On 9/10/2012 1:32 PM, Arthur Mesh wrote: > On Mon, Sep 10, 2012 at 01:02:45PM -0700, Doug Barton wrote: >>> I was exaggerating a bit - but my reasoning was that since it hasn't >>> blown up in our faces yet, it's probably subtle enough to require a >>> large number of samples. >> >> >> If I were Arthur, here is how I would test the "replay attack" assertion: >> >> 1. Install a virgin system with everything as it was before David's >> first commit, and let it run for 24 hours with all the defaults intact. >> Ideally, have it do something over the network periodically to make sure >> that some kind of entropy is harvested from the network drivers. Run >> 'find / -name SASLKASDJKL' to make sure you get some from the disk >> drivers too. >> 2. Disable the cron job for the /var/db/entropy script, and comment out >> the writing of /entropy at shutdown time in /etc/rc.d/random. >> 3. Write a script to reboot, and once the system is fully booted do 'dd >> if=/dev/random of=saved-random-out.$i count=4096' then reboot again >> immediately. Values of i from 1 to 10,000 ought to do it. >> 4. sha256 the saved-random-out files and see how many duplicates there are. > > This test doesn't prove anything useful for the reason des@ outlined. > > To summarize, I have provided my findings and reasoning multiple times. > I've sent a separate report with pointers to problematic code of how > entropy is consumed by yarrow to secteam@. I'm interested in that as well. If someone from secteam@ would like to forward that to me I'd appreciate it. I will of course keep it confidential. Meanwhile can you state publicly whether or not your testing included using dd to feed the device, as is currently done? > You keep asking for empirical proof of my claims. > > There are two claims that I make: > > 1) entropy isn't fully consumed by yarrow all the time - for this I have > empirical proof. I will take your word on that, but before we make any changes to how we use the entropy in the system it would be nice if secteam@ were to discuss publicly the implications of your findings. Or, collaborate with you and I privately to make sure that the proper changes get made. > 2) reusing entropy seeds is a bad thing - for this I don't have > empirical proof. But I have Bruce Schneier's word. And as I have stated repeatedly, you and David are misapplying what you're reading. > Take it or leave it. If those are my choices, I choose "leave it." :) Without any actual proof that reusing the static entropy files causes harm, I would like to ask that the postrandom script be backed out. I will be working on my ideas to pseudo-randomize the order in which the files from /var/db/entropy are used, and to add a new file there at boot time, as discussed previously. I will submit those diffs for comment before I act on them though. Doug -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909)