Date: Mon, 10 Sep 2012 13:40:28 -0700 From: Doug Barton <dougb@FreeBSD.org> To: Arthur Mesh <arthurmesh@gmail.com> Cc: freebsd-rc@freebsd.org, obrien@freebsd.org, freebsd-security@freebsd.org, RW <rwmaillists@googlemail.com>, Dag-Erling Sm?rgrav <des@des.no>, Xin Li <delphij@delphij.net> Subject: Re: svn commit: r239569 - head/etc/rc.d Message-ID: <504E503C.7020903@FreeBSD.org> In-Reply-To: <20120910203210.GB90314@x96.org> References: <20120906174247.GB13179@dragon.NUXI.org> <20120906230157.5307a21f@gumby.homeunix.com> <20120906224703.GD89120@x96.org> <20120907015157.GA29497@server.rulingia.com> <20120910135218.GA68128@dragon.NUXI.org> <504E343A.4020802@FreeBSD.org> <86pq5tu1zr.fsf@ds4.des.no> <504E3DAB.3090000@FreeBSD.org> <86fw6pu0l0.fsf@ds4.des.no> <504E4765.1020909@FreeBSD.org> <20120910203210.GB90314@x96.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On 9/10/2012 1:32 PM, Arthur Mesh wrote: > On Mon, Sep 10, 2012 at 01:02:45PM -0700, Doug Barton wrote: >>> I was exaggerating a bit - but my reasoning was that since it hasn't >>> blown up in our faces yet, it's probably subtle enough to require a >>> large number of samples. >> >> >> If I were Arthur, here is how I would test the "replay attack" assertion: >> >> 1. Install a virgin system with everything as it was before David's >> first commit, and let it run for 24 hours with all the defaults intact. >> Ideally, have it do something over the network periodically to make sure >> that some kind of entropy is harvested from the network drivers. Run >> 'find / -name SASLKASDJKL' to make sure you get some from the disk >> drivers too. >> 2. Disable the cron job for the /var/db/entropy script, and comment out >> the writing of /entropy at shutdown time in /etc/rc.d/random. >> 3. Write a script to reboot, and once the system is fully booted do 'dd >> if=/dev/random of=saved-random-out.$i count=4096' then reboot again >> immediately. Values of i from 1 to 10,000 ought to do it. >> 4. sha256 the saved-random-out files and see how many duplicates there are. > > This test doesn't prove anything useful for the reason des@ outlined. > > To summarize, I have provided my findings and reasoning multiple times. > I've sent a separate report with pointers to problematic code of how > entropy is consumed by yarrow to secteam@. I'm interested in that as well. If someone from secteam@ would like to forward that to me I'd appreciate it. I will of course keep it confidential. Meanwhile can you state publicly whether or not your testing included using dd to feed the device, as is currently done? > You keep asking for empirical proof of my claims. > > There are two claims that I make: > > 1) entropy isn't fully consumed by yarrow all the time - for this I have > empirical proof. I will take your word on that, but before we make any changes to how we use the entropy in the system it would be nice if secteam@ were to discuss publicly the implications of your findings. Or, collaborate with you and I privately to make sure that the proper changes get made. > 2) reusing entropy seeds is a bad thing - for this I don't have > empirical proof. But I have Bruce Schneier's word. And as I have stated repeatedly, you and David are misapplying what you're reading. > Take it or leave it. If those are my choices, I choose "leave it." :) Without any actual proof that reusing the static entropy files causes harm, I would like to ask that the postrandom script be backed out. I will be working on my ideas to pseudo-randomize the order in which the files from /var/db/entropy are used, and to add a new file there at boot time, as discussed previously. I will submit those diffs for comment before I act on them though. Doug -- I am only one, but I am one. I cannot do everything, but I can do something. And I will not let what I cannot do interfere with what I can do. -- Edward Everett Hale, (1822 - 1909)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?504E503C.7020903>