From owner-freebsd-current  Sun Aug 27 13:36:42 2000
Delivered-To: freebsd-current@freebsd.org
Received: from smtp02.iafrica.com (smtp02.iafrica.com [196.7.0.140])
	by hub.freebsd.org (Postfix) with ESMTP
	id 8DDFD37B422; Sun, 27 Aug 2000 13:36:36 -0700 (PDT)
Received: from [196.7.18.138] (helo=grimreaper.grondar.za ident=root)
	by smtp02.iafrica.com with esmtp (Exim 1.92 #1)
	id 13T9AH-0005v1-00; Sun, 27 Aug 2000 22:36:25 +0200
Received: from grimreaper.grondar.za (mark@localhost [127.0.0.1])
	by grimreaper.grondar.za (8.11.0/8.11.0) with ESMTP id e7RKb3p29908;
	Sun, 27 Aug 2000 22:37:03 +0200 (SAST)
	(envelope-from mark@grimreaper.grondar.za)
Message-Id: <200008272037.e7RKb3p29908@grimreaper.grondar.za>
To: Adam Back <adam@cypherspace.org>
Cc: current@FreeBSD.ORG, kris@FreeBSD.ORG, jeroen@vangelderen.org
Subject: Re: yarrow & /dev/random 
References: <200008271611.LAA07481@cypherspace.org> 
In-Reply-To: <200008271611.LAA07481@cypherspace.org> ; from Adam Back <adam@cypherspace.org>  "Sun, 27 Aug 2000 11:11:55 EST."
Date: Sun, 27 Aug 2000 22:37:03 +0200
From: Mark Murray <mark@grondar.za>
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

> > That works with what I already have: cat $privatekey > /dev/random :-)
> 
> Yes.  But the /dev/random device is traditionally crw-r--r-- which
> means user processes can't write to it.  So you'd have to be root to
> do that.

I go one further; at close, I do an explicit reseed, and I make sure
that it is root doing the writing.
 
> What could be done for yarrow is to change the device permissions to
> crw-rw-rw- and mix into a shared user source and set k_of_n_thresh so
> that the user can only trigger fast reseeds, and consider slow reseed
> de-skewing function output for blocking /dev/random; or just add user
> input with an entropy estimate of 0 so they can't affect reseeding,
> and draw fast reseed de-skewing function output for block /dev/random
> (slow output may be too slow).

The estimate for "user" (really root) input is currently 0, except
that I tie it to explicit (fast) reseeds. It shouldn't be a problem to
tie it to a trickle-feed, and allow that to do fast-only reseeds after
considerable lengths of time.

M

--
Mark Murray
Join the anti-SPAM movement: http://www.cauce.org


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message