Re: GRUB and network (was Re: GRUB and Google Summer of Code)

["Vladimir 'φ-coder/phcoder' Serbinenko" <phcoder@gmail.com>]

[-- Attachment #1: Type: text/plain, Size: 1564 bytes --]

Isaac Dupree wrote:
> On 04/01/10 16:59, Vladimir 'φ-coder/phcoder' Serbinenko wrote:
>>> There is already some crypto imported for password support so adding
>>> enough to have SSL would hopefully not be too difficult.
>>>
>> Not true. Although we have ciphers and hashes we don't have either
>> asymetric algorithms or random generator. The first is easy to import
>> but generating random numbers involves gathering entropy which is
>> cornerstone of network cryptography. Without a good random number
>> generator most SSL algorithms will only make the user happier without
>> adding any security against attacker.
>
> Is it reasonable to generate some random data during grub-install, and
> write it to the disk, where GRUB will then use it?
It is possible but there following problems:
1) This file has to be kept secret. In cases when one can be reasonably
sure GRUB wasn't tempered with but isn't sure it's still secret (e.g.
distribution of signed file), it's pretty much useless.
2) You can never ever use same entropy twice. So you will need to save
some kind of pointer where the last used entropy is. And when all
entropy was used we're back at square one. It's possible to save the
random number generator state instead but then random number isn't often
reseeded and so the smallest flaw in its algorithm is relatively easily
usable.
>   Maybe in combination with real-time clock, 
Point of random numbers is being unpredictable. RTC is predictable as a
clock.

-- 
Regards
Vladimir 'φ-coder/phcoder' Serbinenko



[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 293 bytes --]