From: Ted Ts'o Subject: Re: [PATCH] random: add blocking facility to urandom Date: Wed, 7 Sep 2011 17:18:58 -0400 Message-ID: <20110907211858.GE20571@thunk.org> References: <1314974248-1511-1-git-send-email-jarod@redhat.com> <4E67B75B.8010500@redhat.com> <20110907192737.GD20571@thunk.org> <201109071602.24519.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: Jarod Wilson , Sasha Levin , linux-crypto@vger.kernel.org, Matt Mackall , Neil Horman , Herbert Xu , Stephan Mueller , lkml To: Steve Grubb Return-path: Received: from li9-11.members.linode.com ([67.18.176.11]:50060 "EHLO test.thunk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757006Ab1IGVTG (ORCPT ); Wed, 7 Sep 2011 17:19:06 -0400 Content-Disposition: inline In-Reply-To: <201109071602.24519.sgrubb@redhat.com> Sender: linux-crypto-owner@vger.kernel.org List-ID: On Wed, Sep 07, 2011 at 04:02:24PM -0400, Steve Grubb wrote: > > When a system is underattack, do you really want to be using a PRNG > for anything like seeding openssl? Because a PRNG is what urandom > degrades into when its attacked. This is not technically true. urandom degrades into a CRNG (cryptographic random number generator). In fact what most security experts recommend is to take a small amount of security, and then use that to seed a CRNG. > If enough bytes are read that an > attacker can guess the internal state of the RNG, do you really want > it seeding a openssh session? In a cryptographic random number generator, there is a either a cryptographic hash or a encryption algorithm at the core. So you would need a huge amounts of bytes, and then you would have to carry out an attack on the cryptographic core. If this is the basis for the patch, then we should definitely NACK it. It sounds like snake oil fear mongering. - Ted