From: Theodore Tso <tytso@mit.edu>
To: Andy Lutomirski <luto@myrealbox.com>
Cc: John Reiser <jreiser@BitWagon.com>,
Matt Mackall <mpm@selenic.com>,
linux-kernel@vger.kernel.org, security@kernel.org
Subject: Re: /dev/urandom uses uninit bytes, leaks user data
Date: Mon, 17 Dec 2007 22:05:33 -0500 [thread overview]
Message-ID: <20071218030533.GN7070@thunk.org> (raw)
In-Reply-To: <476719E5.1010505@myrealbox.com>
On Mon, Dec 17, 2007 at 07:52:53PM -0500, Andy Lutomirski wrote:
> It runs on a freshly booted machine (no
> DSA involved, so we're not automatically hosed), so an attacker knows the
> initial pool state.
Not just a freshly booted system. The system has to be a freshly
booted, AND freshly installed system. Normally you mix in a random
seed at boot time. And during the boot sequence, the block I/O will
be mixing randomness into the entropy pool, and as the user logs in,
the keyboard and mouse will be mixing more entropy into the pool. So
you'll have to assume that all entropy inputs have somehow been
disabled as well.
BUT --- if the pool state is totally known, you're really, REALLY,
REALLY hosed, since normally /dev/random might get used to initialize
a CRNG to *generate* the ephmeral key. So the danger is not *3*
*bytes* of the empheral key accidentally getting mixed into the
entropy pool, followed by an attacker managing to crack the system so
bad that he or she has read access into kernel memory (without
managing to mix more entropy into the pool), and then doing
sophisticated cryptoanalytic attacks with an O(2**24) order time, to
try to leak the *3* *bytes* of emphemeral key. No, the problem is
that the attacker, with access to the known initial state of the pool,
will be able to find out *THE* *ENTIRE* *EMPHERAL* *KEY*, since it was
probably generated via /dev/random --- and without needing to break
into the system with sufficient privs to be able to read kernel
memory.
So it is your argument which is absurd. If you're going to assume a
completely known pool state, and then assume some program is using
/dev/random, the danger is not in change that some previous kernel
stack state might contain something secret that could theoretically be
revealed after an attacker manages to break into machine as root. No,
the real danger is in what this presumably cryptographically sensitive
program did with the predictable data from /dev/random.
So the real answer is that there needs to be sufficient randomness
mixed into /dev/random. For a typical Linux system, it's there.
There are some potential configuration (say a pure diskless system
with NFS remote filesystems and no keyboard or mouse) being used in
some kind of security-sensitive system. Now, someone who wanted to
say, run a remote certificate signing server or IPSEC key management
system on such a system would arguably be performing security
malpractice, and the lack of entropy for /dev/random is probably the
least of such a system's security problems.
But in any case, instead of trying to worry about these sorts of
hypothetical worries, the much better use of time and energy is the
userspace daemon that can sample entropy from a sound device, or some
other hardware entropy available to the system. The real issue is
being able to make sure the pool is *not* knowable to an attacker.
- Ted
next prev parent reply other threads:[~2007-12-18 3:05 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-14 19:34 /dev/urandom uses uninit bytes, leaks user data John Reiser
2007-12-14 20:13 ` Matt Mackall
2007-12-14 20:45 ` John Reiser
2007-12-14 23:23 ` Theodore Tso
2007-12-15 0:30 ` John Reiser
2007-12-15 4:32 ` Theodore Tso
2007-12-17 16:30 ` John Reiser
2007-12-17 17:36 ` Theodore Tso
2007-12-18 0:52 ` Andy Lutomirski
2007-12-18 3:05 ` Theodore Tso [this message]
2007-12-18 3:13 ` David Newall
2007-12-18 3:46 ` Theodore Tso
2007-12-18 4:09 ` David Newall
2007-12-18 4:23 ` Theodore Tso
2007-12-19 22:43 ` Bill Davidsen
2007-12-19 22:40 ` Bill Davidsen
2007-12-20 4:18 ` Andrew Lutomirski
2007-12-20 20:17 ` Phillip Susi
2007-12-21 16:10 ` Andrew Lutomirski
2007-12-22 1:14 ` Theodore Tso
2007-12-26 18:30 ` Phillip Susi
2007-12-20 20:36 ` Theodore Tso
2007-12-27 10:44 ` Pavel Machek
2007-12-18 5:12 ` David Schwartz
2007-12-17 20:59 ` David Schwartz
2007-12-15 7:13 ` Herbert Xu
2007-12-15 16:30 ` Matt Mackall
2007-12-17 17:28 ` Signed divides vs shifts (Re: [Security] /dev/urandom uses uninit bytes, leaks user data) Linus Torvalds
2007-12-17 17:48 ` Al Viro
2007-12-17 17:55 ` Eric Dumazet
2007-12-17 18:05 ` Ray Lee
2007-12-17 18:10 ` Eric Dumazet
2007-12-17 18:12 ` Ray Lee
2007-12-17 18:23 ` Al Viro
2007-12-17 18:28 ` [Security] Signed divides vs shifts (Re: " Linus Torvalds
2007-12-17 19:08 ` Al Viro
-- strict thread matches above, loose matches on Subject: below --
2007-12-15 7:20 /dev/urandom uses uninit bytes, leaks user data Matti Linnanvuori
2007-12-15 7:54 ` Valdis.Kletnieks
2007-12-15 22:44 linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071218030533.GN7070@thunk.org \
--to=tytso@mit.edu \
--cc=jreiser@BitWagon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@myrealbox.com \
--cc=mpm@selenic.com \
--cc=security@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).