Date: Mon, 10 Sep 2012 13:40:28 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Arthur Mesh <arthurmesh@gmail.com> Cc: freebsd-rc@freebsd.org, freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>, Dag-Erling Sm?rgrav <des@des.no>, Xin Li <delphij@delphij.net> Subject: Re: svn commit: r239569 - head/etc/rc.d Message-ID: <504E503C.7020903@FreeBSD.org> In-Reply-To: <20120910203210.GB90314@x96.org> References: <20120906174247.GB13179@dragon.NUXI.org> <20120906230157.5307a21f@gumby.homeunix.com> <20120906224703.GD89120@x96.org> <20120907015157.GA29497@server.rulingia.com> <20120910135218.GA68128@dragon.NUXI.org> <504E343A.4020802@FreeBSD.org> <86pq5tu1zr.fsf@ds4.des.no> <504E3DAB.3090000@FreeBSD.org> <86fw6pu0l0.fsf@ds4.des.no> <504E4765.1020909@FreeBSD.org> <20120910203210.GB90314@x96.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/10/2012 1:32 PM, Arthur Mesh wrote:
> On Mon, Sep 10, 2012 at 01:02:45PM -0700, Doug Barton wrote:
>>> I was exaggerating a bit - but my reasoning was that since it hasn't
>>> blown up in our faces yet, it's probably subtle enough to require a
>>> large number of samples.
>>
>>
>> If I were Arthur, here is how I would test the "replay attack" assertion:
>>
>> 1. Install a virgin system with everything as it was before David's
>> first commit, and let it run for 24 hours with all the defaults intact.
>> Ideally, have it do something over the network periodically to make sure
>> that some kind of entropy is harvested from the network drivers. Run
>> 'find / -name SASLKASDJKL' to make sure you get some from the disk
>> drivers too.
>> 2. Disable the cron job for the /var/db/entropy script, and comment out
>> the writing of /entropy at shutdown time in /etc/rc.d/random.
>> 3. Write a script to reboot, and once the system is fully booted do 'dd
>> if=/dev/random of=saved-random-out.$i count=4096' then reboot again
>> immediately. Values of i from 1 to 10,000 ought to do it.
>> 4. sha256 the saved-random-out files and see how many duplicates there are.
>
> This test doesn't prove anything useful for the reason des@ outlined.
>
> To summarize, I have provided my findings and reasoning multiple times.
> I've sent a separate report with pointers to problematic code of how
> entropy is consumed by yarrow to secteam@.
I'm interested in that as well. If someone from secteam@ would like to
forward that to me I'd appreciate it. I will of course keep it
confidential.
Meanwhile can you state publicly whether or not your testing included
using dd to feed the device, as is currently done?
> You keep asking for empirical proof of my claims.
>
> There are two claims that I make:
>
> 1) entropy isn't fully consumed by yarrow all the time - for this I have
> empirical proof.
I will take your word on that, but before we make any changes to how we
use the entropy in the system it would be nice if secteam@ were to
discuss publicly the implications of your findings. Or, collaborate with
you and I privately to make sure that the proper changes get made.
> 2) reusing entropy seeds is a bad thing - for this I don't have
> empirical proof. But I have Bruce Schneier's word.
And as I have stated repeatedly, you and David are misapplying what
you're reading.
> Take it or leave it.
If those are my choices, I choose "leave it." :) Without any actual
proof that reusing the static entropy files causes harm, I would like to
ask that the postrandom script be backed out.
I will be working on my ideas to pseudo-randomize the order in which the
files from /var/db/entropy are used, and to add a new file there at boot
time, as discussed previously. I will submit those diffs for comment
before I act on them though.
Doug
--
I am only one, but I am one. I cannot do everything, but I can do
something. And I will not let what I cannot do interfere with what
I can do.
-- Edward Everett Hale, (1822 - 1909)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?504E503C.7020903>