Re: Entropy Pool Contents

[Eran Tromer <eran@tromer.org>]

On 2006-11-28 19:42, Phillip Susi wrote:

> what good does a non root user do by writing to random?  If it
> does not increase the entropy estimate, and it may not actually increase
> the entropy, why bother allowing it?

It is not guaranteed to actually increase the entropy, but it might. And
in case the entropy was previously overestimated, you will have gained
security.

Think of it this way: you can have several users feeding the entropy
pool, and it suffices that *any* of them is feeding strings with nonzero
entropy (with respect to the adversary) in order to get that gain.


That said, I don't feel comfortable about allowing untrusted users to
directly feed the entropy pool, as it can aggravate some failure modes.
To take an extreme example, suppose the adversary has somehow learned
the full state of the pool, i.e., the real entropy is 0, contrary to the
kernel's estimate.

Can things get any worse? Sure they can:

Thus far the adversary can mount attacks that require *known*
randomness. However, if he can now feed his own strings into the pool
mixer as an untrusted user, then he can achieve a *chosen* randomness,
and this undoubtedly enables a wider class of attacks (e.g., covert
channels).

Fully chosen randomness is unlikely here due to the SHA-1
postprocessing, but numerous bits in the next /dev/random read can be
fixed simply by exhaustive search. Worse yet, if the injected string is
mixed directly into the pool without cryptographic preprocessing, then
the exhaustive search can be done via off-line preprocessing: once the
primary pool is estimated to have full entropy, the /dev/random
algorithm lets you linearly manipulate the /dev/random pool into any
state. That's a nasty design flaw, BTW (see Gutterman et al., section 3).

Of course, in principle the same is possible by manipulating the
existing /dev/random event sources. But it's much harder to produce
bit-exact inputs through such indirect means.

  Eran