From: Phillip Susi <psusi@cfl.rr.com>
To: Andrew Lutomirski <luto@myrealbox.com>
Cc: Theodore Tso <tytso@mit.edu>,
David Newall <david@davidnewall.com>,
John Reiser <jreiser@bitwagon.com>,
Matt Mackall <mpm@selenic.com>,
linux-kernel@vger.kernel.org, security@kernel.org
Subject: Re: /dev/urandom uses uninit bytes, leaks user data
Date: Wed, 26 Dec 2007 13:30:35 -0500 [thread overview]
Message-ID: <47729DCB.6010000@cfl.rr.com> (raw)
In-Reply-To: <cb0375e10712210810p36fc9995s345d23b7dff5a3b3@mail.gmail.com>
Andrew Lutomirski wrote:
> No, it's there, and if there's little enough entropy around it can be
> recovered by brute force.
A little entropy is enough to prevent a brute force attack. You would
have to have ZERO entropy after a cold boot so the attacker would know
exactly the contents of the pool, AND know that one and ONLY one other
task has read from /dev/urandom, AND exactly what time that task did so,
AND how many bytes it read. Only then could the attacker read from
urandom and based on those bytes and the previous known pool state,
brute force the 3 bytes that came from some unknown location in the
other task's memory.
>>> Step 1: Boot a system without a usable entropy source.
>>> Step 2: add some (predictable) "entropy" from userspace which isn't a
>>> multiple of 4, so up to three extra bytes get added.
>>> Step 3: Read a few bytes of /dev/random and send them over the network.
>> Only root can do 1 and 2, at which point, it's already game over.
>
> Again, no. Root could do this accidentally. Step 1 happens all the
> time (see the comments on non-unique UUIDs). Step 2 just requires a
It does not happen all the time. It happens on a system that has just
been cold booted from read only distribution media with a broken cmos
clock, no user keyboard interaction, and no hardware rng and that's it.
Every other system is going to have some entropy from the last boot at
least.
next prev parent reply other threads:[~2007-12-26 18:30 UTC|newest]
Thread overview: 39+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-12-14 19:34 /dev/urandom uses uninit bytes, leaks user data John Reiser
2007-12-14 20:13 ` Matt Mackall
2007-12-14 20:45 ` John Reiser
2007-12-14 23:23 ` Theodore Tso
2007-12-15 0:30 ` John Reiser
2007-12-15 4:32 ` Theodore Tso
2007-12-17 16:30 ` John Reiser
2007-12-17 17:36 ` Theodore Tso
2007-12-18 0:52 ` Andy Lutomirski
2007-12-18 3:05 ` Theodore Tso
2007-12-18 3:13 ` David Newall
2007-12-18 3:46 ` Theodore Tso
2007-12-18 4:09 ` David Newall
2007-12-18 4:23 ` Theodore Tso
2007-12-19 22:43 ` Bill Davidsen
2007-12-19 22:40 ` Bill Davidsen
2007-12-20 4:18 ` Andrew Lutomirski
2007-12-20 20:17 ` Phillip Susi
2007-12-21 16:10 ` Andrew Lutomirski
2007-12-22 1:14 ` Theodore Tso
2007-12-26 18:30 ` Phillip Susi [this message]
2007-12-20 20:36 ` Theodore Tso
2007-12-27 10:44 ` Pavel Machek
2007-12-18 5:12 ` David Schwartz
2007-12-17 20:59 ` David Schwartz
2007-12-15 7:13 ` Herbert Xu
2007-12-15 16:30 ` Matt Mackall
2007-12-17 17:28 ` Signed divides vs shifts (Re: [Security] /dev/urandom uses uninit bytes, leaks user data) Linus Torvalds
2007-12-17 17:48 ` Al Viro
2007-12-17 17:55 ` Eric Dumazet
2007-12-17 18:05 ` Ray Lee
2007-12-17 18:10 ` Eric Dumazet
2007-12-17 18:12 ` Ray Lee
2007-12-17 18:23 ` Al Viro
2007-12-17 18:28 ` [Security] Signed divides vs shifts (Re: " Linus Torvalds
2007-12-17 19:08 ` Al Viro
-- strict thread matches above, loose matches on Subject: below --
2007-12-15 7:20 /dev/urandom uses uninit bytes, leaks user data Matti Linnanvuori
2007-12-15 7:54 ` Valdis.Kletnieks
2007-12-15 22:44 linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=47729DCB.6010000@cfl.rr.com \
--to=psusi@cfl.rr.com \
--cc=david@davidnewall.com \
--cc=jreiser@bitwagon.com \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@myrealbox.com \
--cc=mpm@selenic.com \
--cc=security@kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).