From: daw@cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: Entropy Pool Contents
Date: Mon, 27 Nov 2006 20:40:16 +0000 (UTC) [thread overview]
Message-ID: <ekfifg$n41$1@taverner.cs.berkeley.edu> (raw)
In-Reply-To: 456B4CD2.7090208@cfl.rr.com
Phillip Susi wrote:
>David Wagner wrote:
>> Nope, I don't think so. If they could, that would be a security hole,
>> but /dev/{,u}random was designed to try to make this impossible, assuming
>> the cryptographic algorithms are secure.
>>
>> After all, some of the entropy sources come from untrusted sources and
>> could be manipulated by an external adversary who doesn't have any
>> account on your machine (root or non-root), so the scheme has to be
>> secure against introduction of maliciously chosen samples in any event.
>
>Assuming it works because it would be a bug if it didn't is a logical
>fallacy. Either the new entropy pool is guaranteed to be improved by
>injecting data or it isn't. If it is, then only root should be allowed
>to inject data. If it isn't, then the entropy estimate should increase
>when the pool is stirred.
Sorry, but I disagree with just about everything you wrote in this
message. I'm not committing any logical fallacies. I'm not assuming
it works because it would be a bug if it didn't; I'm just trying to
help you understand the intuition. I have looked at the algorithm
used by /dev/{,u}random, and I am satisfied that it is safe to feed in
entropy samples from malicious sources, as long as you don't bump up the
entropy counter when you do so. Doing so can't do any harm, and cannot
reduce the entropy in the pool. However, there is no guarantee that
it will increase the entropy. If the adversary knows what bytes you
are feeding into the pool, then it doesn't increase the entropy count,
and the entropy estimate should not be increased.
Therefore:
- It is safe to allow non-root users to inject data into the pool
by writing to /dev/random, as long as you don't bump up the entropy
estimate. Doing so cannot decrease the amount of entropy in the
pool.
- It is not a good idea to bump up the entropy estimate when non-root
users write to /dev/random. If a malicious non-root user writes
the first one million digits of pi to /dev/random, then this hasn't
increased the uncertainty that this attacker has in the pool, so
you shouldn't increase the entropy estimate.
- Whether you automatically bump up the entropy estimate when
root users write to /dev/random is a design choice where you could
reasonably go either way. On the one hand, you might want to ensure
that root has to take some explicit action to allege that it is
providing a certain degree of entropy, and you might want to insist
that root tell /dev/random how much entropy it added (since root
knows best where the data came from and how much entropy it is likely
to contain). On the other hand, you might want to make it easier
for shell scripts to add entropy that will count towards the overall
entropy estimate, without requiring them to go through weird
contortions to call various ioctl()s. I can see arguments both
ways, but the current behavior seems reasonable and defensible.
Note that, in any event, the vast majority of applications should be
using /dev/urandom (not /dev/random!), so in an ideal world, most of
these issues should be pretty much irrelevant to the vast majority of
applications. Sadly, in practice many applications wrongly use
/dev/random when they really should be using /dev/urandom, either out
of ignorance, or because of serious flaws in the /dev/random man page.
next prev parent reply other threads:[~2006-11-27 20:46 UTC|newest]
Thread overview: 35+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-11-22 23:54 Entropy Pool Contents Gunter Ohrner
2006-11-22 23:59 ` Gunter Ohrner
2006-11-23 0:10 ` Jan Engelhardt
2006-11-23 21:40 ` Gunter Ohrner
2006-11-27 16:16 ` Phillip Susi
2006-11-27 16:19 ` Chris Friesen
2006-11-27 18:54 ` Phillip Susi
2006-11-27 19:33 ` David Wagner
2006-11-27 20:38 ` Phillip Susi
2006-11-27 20:40 ` David Wagner [this message]
2006-11-27 21:52 ` Kyle Moffett
2006-11-28 4:17 ` David Wagner
2006-11-28 5:19 ` Ben Pfaff
2006-11-28 12:13 ` Henrique de Moraes Holschuh
2006-11-28 12:58 ` David Wagner
2006-11-28 13:32 ` Eran Tromer
2006-11-28 13:15 ` Martin Mares
2006-11-28 17:22 ` Phillip Susi
2006-11-28 17:24 ` Martin Mares
2006-11-28 17:46 ` Phillip Susi
2006-11-28 17:49 ` Martin Mares
2006-11-28 18:40 ` Phillip Susi
2006-11-28 21:05 ` Martin Mares
2006-11-29 20:04 ` Phillip Susi
2006-11-28 17:42 ` Phillip Susi
2006-11-28 17:59 ` Martin Mares
2006-11-28 22:50 ` Eran Tromer
2006-11-27 22:21 ` Gunter Ohrner
2006-11-24 0:48 ` Theodore Tso
2006-11-24 1:01 ` Jeff Garzik
2006-11-23 20:54 ` Lennart Sorensen
2006-11-23 21:34 ` Gunter Ohrner
2006-11-23 21:04 ` Jeff Garzik
2006-11-23 21:43 ` Gunter Ohrner
2006-11-26 1:26 ` Folkert van Heusden
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='ekfifg$n41$1@taverner.cs.berkeley.edu' \
--to=daw@cs.berkeley.edu \
--cc=daw-usenet@taverner.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox