From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mailman by lists.gnu.org with archive (Exim 4.43) id 1NxgJ3-0007yo-Mp for mharc-grub-devel@gnu.org; Fri, 02 Apr 2010 08:49:01 -0400 Received: from mailman by lists.gnu.org with tmda-scanned (Exim 4.43) id 1NxgIT-0007p9-Gd for grub-devel@gnu.org; Fri, 02 Apr 2010 08:48:25 -0400 Received: from [140.186.70.92] (port=60070 helo=eggs.gnu.org) by lists.gnu.org with esmtp (Exim 4.43) id 1NxgIS-0007nj-1R for grub-devel@gnu.org; Fri, 02 Apr 2010 08:48:25 -0400 Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.69) (envelope-from ) id 1NxgIQ-0004pM-Do for grub-devel@gnu.org; Fri, 02 Apr 2010 08:48:23 -0400 Received: from mail-bw0-f217.google.com ([209.85.218.217]:47294) by eggs.gnu.org with esmtp (Exim 4.69) (envelope-from ) id 1NxgIQ-0004pB-8y for grub-devel@gnu.org; Fri, 02 Apr 2010 08:48:22 -0400 Received: by bwz9 with SMTP id 9so1443100bwz.9 for ; Fri, 02 Apr 2010 05:48:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type; bh=7tKuHzGD67aOLpdkTeBesPBOhCv5AryVaYu9eAsicZY=; b=Jw9YKOAoiUvO6FAiRMqS9ZT2W1A/ciaazqOfOXYmvzc3QYNqGP4ou7xBZKfCGfQ2No WOzN9XX2Aucvb1AvdWc4qRJhzWff/M0PBfJsEgkrrLoo6v30hC8DniCV/68K8RKoSCLn +bTANAQZL4/iHPdOdkZAvROyMfSYJv6+dLrlc= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type; b=Hh14OfhRz90gvxNCqIAMU9ji9dW9e956YFTM8tEpa7GxHKdWfyYbTVOMRR9/hJjbY/ 0Fau1zARFVmN5F+O1IJSsYzI4IEZzw8atgB/UMdrNY33v7YR7DFFnO6r7S0jnZkTs/8U hREByMyVUmNndC1RCfO8D9w/H4fw8ca2fGz60= Received: by 10.204.133.27 with SMTP id d27mr3072016bkt.51.1270212501066; Fri, 02 Apr 2010 05:48:21 -0700 (PDT) Received: from debian.bg45.phnet (89-37.203-62.cust.bluewin.ch [62.203.37.89]) by mx.google.com with ESMTPS id 14sm4540003bwz.14.2010.04.02.05.48.19 (version=TLSv1/SSLv3 cipher=RC4-MD5); Fri, 02 Apr 2010 05:48:19 -0700 (PDT) Message-ID: <4BB5E78C.10108@gmail.com> Date: Fri, 02 Apr 2010 14:48:12 +0200 From: =?UTF-8?B?VmxhZGltaXIgJ8+GLWNvZGVyL3BoY29kZXInIFNlcmJpbmVua28=?= User-Agent: Mozilla-Thunderbird 2.0.0.22 (X11/20091109) MIME-Version: 1.0 To: The development of GNU GRUB References: <4BB0FB37.2060906@gmail.com> <4BB23431.3000007@gmail.com> <201003301546.30857.trustlix@linux.vnet.ibm.com> <4BB5093F.3030402@gmail.com> <4BB53659.6010606@isaac.cedarswampstudios.org> In-Reply-To: <4BB53659.6010606@isaac.cedarswampstudios.org> X-Enigmail-Version: 0.95.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enigCB1F604BD7B850BE1B6A5151" X-detected-operating-system: by eggs.gnu.org: GNU/Linux 2.6 (newer, 2) Subject: Re: GRUB and network (was Re: GRUB and Google Summer of Code) X-BeenThere: grub-devel@gnu.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: The development of GNU GRUB List-Id: The development of GNU GRUB List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 02 Apr 2010 12:48:25 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigCB1F604BD7B850BE1B6A5151 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Isaac Dupree wrote: > On 04/01/10 16:59, Vladimir '=CF=86-coder/phcoder' Serbinenko wrote: >>> There is already some crypto imported for password support so adding >>> enough to have SSL would hopefully not be too difficult. >>> >> Not true. Although we have ciphers and hashes we don't have either >> asymetric algorithms or random generator. The first is easy to import >> but generating random numbers involves gathering entropy which is >> cornerstone of network cryptography. Without a good random number >> generator most SSL algorithms will only make the user happier without >> adding any security against attacker. > > Is it reasonable to generate some random data during grub-install, and > write it to the disk, where GRUB will then use it? It is possible but there following problems: 1) This file has to be kept secret. In cases when one can be reasonably sure GRUB wasn't tempered with but isn't sure it's still secret (e.g. distribution of signed file), it's pretty much useless. 2) You can never ever use same entropy twice. So you will need to save some kind of pointer where the last used entropy is. And when all entropy was used we're back at square one. It's possible to save the random number generator state instead but then random number isn't often reseeded and so the smallest flaw in its algorithm is relatively easily usable. > Maybe in combination with real-time clock,=20 Point of random numbers is being unpredictable. RTC is predictable as a clock. --=20 Regards Vladimir '=CF=86-coder/phcoder' Serbinenko --------------enigCB1F604BD7B850BE1B6A5151 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iF4EAREKAAYFAku155IACgkQNak7dOguQgmgkQD/RoNPgTgnR1dNp9dSrGM8S5yx zlLmyJKBRcX9/DYRkOEBAIK6PpuLNb+dBY8u54l08MSP8F9fbBwXNEGsznlGN8/Z =5+DT -----END PGP SIGNATURE----- --------------enigCB1F604BD7B850BE1B6A5151--