From owner-freebsd-current  Fri Jul 21 18:55: 2 2000
Delivered-To: freebsd-current@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id D27E537B5F9; Fri, 21 Jul 2000 18:54:54 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id SAA78849;
	Fri, 21 Jul 2000 18:54:54 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Fri, 21 Jul 2000 18:54:54 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: Mark Murray <mark@grondar.za>
Cc: "Jeroen C. van Gelderen" <jeroen@vangelderen.org>,
	current@FreeBSD.ORG
Subject: Re: randomdev entropy gathering is really weak 
In-Reply-To: <200007211923.VAA00707@grimreaper.grondar.za>
Message-ID: <Pine.BSF.4.21.0007211849570.68809-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Fri, 21 Jul 2000, Mark Murray wrote:

> Section 2.1, last paragraph:
> "If a system is shut down, and restarted, it is desirable to store some
> high-entropy data (such as the key) in non-volatile memory. This allows
> the PRNG to be restarted in an unguessable state at the next restart. We
> call this data the reseed file."

I'm all for storing a sample at shutdown and using it to help seed the
PRNG at startup, but it shouldn't be the only seed used (for example, the
case where the system has never been shut down (cleanly) before and so has
no pre-existing seed file is a BIG corner case to consider since thats how
the system is at the time it first generates SSH keys after a fresh
install).

It might be only an academic vulnerability, but if someone can read your
HD during the time the system is shut down then I'd prefer them not to
know the precise state when the system next starts up again. Yes, if they
can read they can probably also write, but it seems like a mistake when
there's nothing really gained by saving the complete state, as opposed to
an extract.

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message