From owner-freebsd-current Fri Jul 21 12:24: 8 2000 Delivered-To: freebsd-current@freebsd.org Received: from grimreaper.grondar.za (grimreaper.grondar.za [196.7.18.138]) by hub.freebsd.org (Postfix) with ESMTP id 6BBA137BE0A for ; Fri, 21 Jul 2000 12:24:01 -0700 (PDT) (envelope-from mark@grondar.za) Received: from grimreaper.grondar.za (localhost [127.0.0.1]) by grimreaper.grondar.za (8.9.3/8.9.3) with ESMTP id VAA00707; Fri, 21 Jul 2000 21:23:53 +0200 (SAST) (envelope-from mark@grimreaper.grondar.za) Message-Id: <200007211923.VAA00707@grimreaper.grondar.za> To: "Jeroen C. van Gelderen" Cc: current@FreeBSD.ORG Subject: Re: randomdev entropy gathering is really weak References: <39787FA4.A79BAE0B@vangelderen.org> In-Reply-To: <39787FA4.A79BAE0B@vangelderen.org> ; from "Jeroen C. van Gelderen" "Fri, 21 Jul 2000 12:51:48 -0400." Date: Fri, 21 Jul 2000 21:23:53 +0200 From: Mark Murray Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > > It is a Yarrow-mandated procedure. Please read the Yarrow paper. > > Actually, it's not. You don not want to save the exact > PRNG state to disk, ever. It's not Yarrow mandated > procedure but a big security hole. Section 2.1, last paragraph: "If a system is shut down, and restarted, it is desirable to store some high-entropy data (such as the key) in non-volatile memory. This allows the PRNG to be restarted in an unguessable state at the next restart. We call this data the reseed file." Perhaps "mandated" was a bit strong; "desired" might be better. > That said, you do not write out the state of the PRNG, > you write out a couple of blocks of output from which > the state cannot be derived. That *is* okay and that's > what you are doing. Writing the 256-bit key would have been OK according to the paper. > And just for completeness: it's not mandatory to do so. > I don't know where you read that in the paper. See above. > > If they can do that, they have either the console (==root) or they have > > root. Either way, who cares what they know about your machine, they have > > the whole darn thing :-O. > > Someone may well compromise your randomness source without > you noticing. And read your PGP mail for the coming couple > of years because your PGP key was compromised without you > noticing. Perfect Trojan horse to write for the FBI, IRS, > anyone who doesn't like you. Oops. Sure; we neet to be appropriately paranoid about that, but let's not get ridiculous. The seed file could certainly use some decent protection, but unfortunately, PC architectures don't come with SIMcards or the like. M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message