Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 7 Dec 2020 08:37:42 +0000
From:      Mark Murray <markm@FreeBSD.org>
To:        Dave Hayes <dave@jetcafe.org>
Cc:        freebsd-hackers@freebsd.org
Subject:   Re: arc4random initialization
Message-ID:  <EB47F35A-EAD8-4B97-B676-FD8C5AD57398@FreeBSD.org>
In-Reply-To: <20201206153625.13e349a8@bigus.dream-tech.com>
References:  <20201206153625.13e349a8@bigus.dream-tech.com>

next in thread | previous in thread | raw e-mail | index | archive | help

--Apple-Mail=_816BA5CA-C7CD-4F62-AF29-5BB4C6521CA0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain;
	charset=us-ascii

Hi

> On 6 Dec 2020, at 23:36, Dave Hayes <dave@jetcafe.org> wrote:
>=20
> So security-wise, just how bad is it to be improperly seeded? If I =
cannot get
> a valid entropy stash at boot time, can I delay the need for it until =
I can get
> a writable filesystem up and running?
>=20
> Thanks in advance for any cogent replies.

This means that the random(4) device and relevant infrastructure like
arc4random starts up in an insecure state and is not to be trusted for =
e.g.
generating SSH keys.

After you have used the machine for a while (exactly how long =
"depends"),
it will reseed itself and become secure.

Essentially, expect every boot off a DVD on the same hardware to reuse
cryptographic keys and therefore be insecure.

Once you've installed on some R/W medium and rebooted, the necessary
entropy will have been stashed for you, and the first SSH keys will be
generated properly.

M
--
Mark R V Murray

--Apple-Mail=_816BA5CA-C7CD-4F62-AF29-5BB4C6521CA0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment;
	filename=signature.asc
Content-Type: application/pgp-signature;
	name=signature.asc
Content-Description: Message signed with OpenPGP

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.2
Comment: GPGTools - http://gpgtools.org

iQEzBAEBCgAdFiEEyzPHvybPbOpU9MCxQlsJDh9CUqAFAl/N6dYACgkQQlsJDh9C
UqB9ugf+Oiy1edwgcZTasII/+42wtdkhq44/xp6PMi3a0jmyxw6EsaD+CW7ET474
x87V4SVP/2DTgqW0ljtK0sinYB7u1BdP3NXPk0x0Bs/U18BJ6K+COcmDexx2HsMg
Lyp9h16a94C9GuHVnxxSBFdKYENaoWCQksVV6HwkZxK2xFIpLcyrWg2sR4S/qUVV
dc+miQ5k2mC3ubte8lyc36zwSEXR+XNR04e+MKe64tyfmddLzdlbLdWOPHXIKyPv
Na/IaQB6lJIbbpUUh7oNAeI9xjdkW5fIoTZXwDN6/jfoioiJoqHe32eDND1NX05E
TWMuDQTUllkKrxOedgNkFX4Ht3SMsQ==
=cJJt
-----END PGP SIGNATURE-----

--Apple-Mail=_816BA5CA-C7CD-4F62-AF29-5BB4C6521CA0--



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?EB47F35A-EAD8-4B97-B676-FD8C5AD57398>