Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Mon, 18 Dec 2000 17:04:13 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Mon, 18 Dec 2000 17:04:03 -0500 Received: from TSX-PRIME.MIT.EDU ([18.86.0.76]:62100 "HELO tsx-prime.MIT.EDU") by vger.kernel.org with SMTP id ; Mon, 18 Dec 2000 17:03:46 -0500 Date: Mon, 18 Dec 2000 16:33:13 -0500 Message-Id: <200012182133.QAA02136@tsx-prime.MIT.EDU> From: "Theodore Y. Ts'o" To: Jamie Lokier CC: David Schwartz , Karel Kulhavy , linux-kernel@vger.kernel.org In-Reply-To: Jamie Lokier's message of Mon, 18 Dec 2000 21:38:01 +0100, <20001218213801.A19903@pcep-jamie.cern.ch> Subject: Re: /dev/random: really secure? Phone: (781) 391-3464 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Date: Mon, 18 Dec 2000 21:38:01 +0100 From: Jamie Lokier David Schwartz wrote: > The code does its best to estimate how much actual entropy it is gathering. A potential weakness. The entropy estimator can be manipulated by feeding data which looks random to the estimator, but which is in fact not random at all. Yes, absolutely. That's why you have to be careful before you make changes to the kernel code to feed additional data to the estimator. *Usually* relying on interrupt timing is safe, but not always. For example, an adversary can observe, and in some cases control the arrivial of network packets which control the network card's interrupt timings. Is it enough to be able to predict with cpu-counter resolution the inputs to the /dev/random pool? Maybe; it depends on how paranoid you are. Note that writing to /dev/random does *not* update the entropy estimate, for this very reason. The assumption is that inputs to the entropy estimator have to be trusted, and since /dev/random is typically world-writeable, it is not so trusted. - Ted - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/