Date: Tue, 25 Sep 2012 10:21:07 +0200 From: =?utf-8?Q?Dag-Erling_Sm=C3=B8rgrav?= <des@des.no> To: Ben Laurie <benl@freebsd.org> Cc: freebsd-security@freebsd.org, Doug Barton <dougb@freebsd.org> Subject: Re: rc.d/postrandom Message-ID: <86zk4eqzrg.fsf@ds4.des.no> In-Reply-To: <CAG5KPzzsHxErOho3BkqFL2M_OtimFfQB_OKG-9myQ2gm3-xgQA@mail.gmail.com> (Ben Laurie's message of "Mon, 24 Sep 2012 18:47:07 %2B0100") References: <505FDA03.5020207@FreeBSD.org> <86haqnsrx2.fsf@ds4.des.no> <CAG5KPzzsHxErOho3BkqFL2M_OtimFfQB_OKG-9myQ2gm3-xgQA@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Ben Laurie <benl@freebsd.org> writes: > He means postrandom. Which deletes all saved entropy because of fear > of replay attacks. > > IMO, this doesn't make much sense - if you don't have sufficient fresh > entropy to mix into the pool, then deleting your saved entropy makes > you more vulnerable, not less. And if you do, you're not vulnerable > anyway. If the stored entropy is known to the attacker, you are mixing known data into the pool, which Yarrow is designed to withstand. You are no worse off than before. If both the current state of Yarrow and the stored entropy are known to the attacker, you are no worse off than before - you are equally screwed whether you use the stored entropy or not. If the current state of Yarrow is known to the attacker but the stored entropy isn't, you are better off with it than without it. Therefore, the stored entropy should only be deleted when we have something to replace it with. DES --=20 Dag-Erling Sm=C3=B8rgrav - des@des.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?86zk4eqzrg.fsf>