From owner-cvs-all  Mon Jul 17  9: 8:39 2000
Delivered-To: cvs-all@freebsd.org
Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47])
	by hub.freebsd.org (Postfix) with ESMTP
	id 167FD37B9BE; Mon, 17 Jul 2000 09:08:33 -0700 (PDT)
	(envelope-from jeroen@vangelderen.org)
Received: from vangelderen.org (grolsch.ai [209.88.68.214])
	by cypherpunks.ai (Postfix) with ESMTP
	id 7828549; Mon, 17 Jul 2000 12:08:31 -0400 (AST)
Message-ID: <39732F7F.2E5BAEC0@vangelderen.org>
Date: Mon, 17 Jul 2000 12:08:31 -0400
From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org>
X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: Mark Murray <markm@FreeBSD.ORG>
Cc: cvs-committers@FreeBSD.ORG, cvs-all@FreeBSD.ORG
Subject: Re: cvs commit: src/sys/sys random.h src/sys/dev/randomdev 
 randomdev.cyarrow.c
References: <200007171223.FAA85311@freefall.freebsd.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-cvs-all@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Mark Murray wrote:
> 
> markm       2000/07/17 05:23:04 PDT
> 
>   Modified files:
>     sys/sys              random.h
>     sys/dev/randomdev    randomdev.c yarrow.c
>   Log:
>   Add randomness write functionality. This does absolutely nothing for
>   entropy estimation, but causes an immediate reseed after the input
>   (read in sizeof(u_int64_t) chunks) is "harvested".

Arbitrarily reseeding is bad in the case of Yarrow as it 
allows for iterative guessing attacks. This is precisely why 
this functionality is not described in the paper. Yarrow was 
designed to manage the reseeding itself just to prevent this 
kind of attack. 

You should definately run this kind of input trough the entropy 
estimation routines and have Yarrow decide to reseed. You are
writing 4096 bytes anyway (on bootup) so this will (barring 
serious bugs) trigger a reseed. If not, you just caught a bug
and the randomness device appears to not work. That's a good
thing.

I'd treat any bytes written to /dev/random as just another 
(untrustworthy) entropy source and subject them to a very
conservative (dynamic) entropy estimation.

>   This will be used in the reboot "reseeder", coming in another
>   commit. This can be used very effectively at any time you think
>   your randomness is compromised; something like
> 
>   # (ps -gauxwww; netstat -an; dmesg; vmstat -c10 1) > /dev/random
> 
>   will give the attacker something to think about.

If your entropy pool is compromised your attacker has root or
there is a serious bug in Yarrow. In both cases you will want
to take steps to prevent this from happening again...

Cheers,
Jeroen
-- 
Jeroen C. van Gelderen          o      _     _         _
jeroen@vangelderen.org  _o     /\_   _ \\o  (_)\__/o  (_)
                      _< \_   _>(_) (_)/<_    \_| \   _|/' \/
                     (_)>(_) (_)        (_)   (_)    (_)'  _\o_


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe cvs-all" in the body of the message