From owner-freebsd-security@FreeBSD.ORG  Tue Sep 25 08:21:10 2012
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id EC9AF106566B;
	Tue, 25 Sep 2012 08:21:09 +0000 (UTC) (envelope-from des@des.no)
Received: from smtp.des.no (smtp.des.no [194.63.250.102])
	by mx1.freebsd.org (Postfix) with ESMTP id ABD158FC14;
	Tue, 25 Sep 2012 08:21:09 +0000 (UTC)
Received: from ds4.des.no (smtp.des.no [194.63.250.102])
	by smtp.des.no (Postfix) with ESMTP id 397E060AF;
	Tue, 25 Sep 2012 10:21:08 +0200 (CEST)
Received: by ds4.des.no (Postfix, from userid 1001)
	id F08A98145; Tue, 25 Sep 2012 10:21:07 +0200 (CEST)
From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no>
To: Ben Laurie <benl@freebsd.org>
References: <505FDA03.5020207@FreeBSD.org> <86haqnsrx2.fsf@ds4.des.no>
	<CAG5KPzzsHxErOho3BkqFL2M_OtimFfQB_OKG-9myQ2gm3-xgQA@mail.gmail.com>
Date: Tue, 25 Sep 2012 10:21:07 +0200
In-Reply-To: <CAG5KPzzsHxErOho3BkqFL2M_OtimFfQB_OKG-9myQ2gm3-xgQA@mail.gmail.com>
	(Ben Laurie's message of "Mon, 24 Sep 2012 18:47:07 +0100")
Message-ID: <86zk4eqzrg.fsf@ds4.des.no>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/23.4 (berkeley-unix)
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
Cc: freebsd-security@freebsd.org, Doug Barton <dougb@freebsd.org>
Subject: Re: rc.d/postrandom
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 25 Sep 2012 08:21:10 -0000

Ben Laurie <benl@freebsd.org> writes:
> He means postrandom. Which deletes all saved entropy because of fear
> of replay attacks.
>
> IMO, this doesn't make much sense - if you don't have sufficient fresh
> entropy to mix into the pool, then deleting your saved entropy makes
> you more vulnerable, not less. And if you do, you're not vulnerable
> anyway.

If the stored entropy is known to the attacker, you are mixing known
data into the pool, which Yarrow is designed to withstand.  You are no
worse off than before.

If both the current state of Yarrow and the stored entropy are known to
the attacker, you are no worse off than before - you are equally screwed
whether you use the stored entropy or not.

If the current state of Yarrow is known to the attacker but the stored
entropy isn't, you are better off with it than without it.

Therefore, the stored entropy should only be deleted when we have
something to replace it with.

DES
--=20
Dag-Erling Sm=C3=B8rgrav - des@des.no