From owner-freebsd-current Sat Jul 22 10:49:39 2000 Delivered-To: freebsd-current@freebsd.org Received: from gndrsh.dnsmgr.net (GndRsh.dnsmgr.net [198.145.92.4]) by hub.freebsd.org (Postfix) with ESMTP id 67AEC37B90F; Sat, 22 Jul 2000 10:49:34 -0700 (PDT) (envelope-from freebsd@gndrsh.dnsmgr.net) Received: (from freebsd@localhost) by gndrsh.dnsmgr.net (8.9.3/8.9.3) id KAA43756; Sat, 22 Jul 2000 10:49:31 -0700 (PDT) (envelope-from freebsd) From: "Rodney W. Grimes" Message-Id: <200007221749.KAA43756@gndrsh.dnsmgr.net> Subject: Re: randomdev entropy gathering is really weak In-Reply-To: from Kris Kennaway at "Jul 21, 2000 06:54:54 pm" To: kris@FreeBSD.ORG (Kris Kennaway) Date: Sat, 22 Jul 2000 10:49:30 -0700 (PDT) Cc: mark@grondar.za (Mark Murray), jeroen@vangelderen.org (Jeroen C. van Gelderen), current@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL54 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG > On Fri, 21 Jul 2000, Mark Murray wrote: > > > Section 2.1, last paragraph: > > "If a system is shut down, and restarted, it is desirable to store some > > high-entropy data (such as the key) in non-volatile memory. This allows > > the PRNG to be restarted in an unguessable state at the next restart. We > > call this data the reseed file." > > I'm all for storing a sample at shutdown and using it to help seed the > PRNG at startup, but it shouldn't be the only seed used (for example, the > case where the system has never been shut down (cleanly) before and so has > no pre-existing seed file is a BIG corner case to consider since thats how > the system is at the time it first generates SSH keys after a fresh > install). > > It might be only an academic vulnerability, but if someone can read your > HD during the time the system is shut down then I'd prefer them not to > know the precise state when the system next starts up again. Yes, if they > can read they can probably also write, but it seems like a mistake when > there's nothing really gained by saving the complete state, as opposed to > an extract. And for folks like us who do mass installs via dd if=/dev/da1 of=/dev/da2, where da1 is a mastered image created via ``make installworld DESTDIR=/mnt'', the corner case is very large. I have been bitten by an event where the master disk was booted once before replication, and thus all systems had _IDENTICAL_ /etc/ssh contents. Not a very good idea !! We have amended the manufacturing process now, so that part of the disk replication is the nuking and regeneration of /etc/ssh. -- Rod Grimes - KD7CAX @ CN85sl - (RWG25) rgrimes@gndrsh.dnsmgr.net To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message