Bug#587665: Safety of early boot init of /dev/random seed
in [Kernel]
|
Prev: jz4740-adc/jz4740-hwmon: check kmalloc() result
Next: sata_fsl,mv,nv: prepare for NCQ command completion update
From: Christoph Anton Mitterer on 1 Aug 2010 19:00 Hey Matt... May I ask you a follow-up question on that,... which is however not so much Debian-init-related, I guess. On Mon, 2010-07-05 at 13:40 -0500, Matt Mackall wrote: > > > 1. How much data of unknown quality can we feed the random pool at boot, > > > before it causes damage (i.e. what is the threshold where we violate the > > > "you are not goint to be any worse than you were before" rule) ? > > There is no limit. The mixing operations are computationally reversible, > which guarantees that no unknown degrees of freedom are clobbered when > mixing known data. > > > > 2. How dangerous it is to feed the pool with stale seed data in the next > > > boot (i.e. in a failure mode where we do not regenerate the seed file) ? > > Not at all. Are the above to statements also true for possibly "evil" random data? I mean the seed file (as in Debian) is already from the kernel's PRNG, right? So that shouldn't contain evil and special crafted data in order to weak the PRNG. Working with a Gird-CA for the LHC - we're always interested in nice tokens like: http://www.entropykey.co.uk/ Unfortunately it's never really clear how well their contribution would actually be.... and the paranoid below us could even believe, that mighty government organisations have such devices hacked in order to harm our crypto ;) Thanks, Chris.
From: Henrique de Moraes Holschuh on 2 Aug 2010 00:20 On Mon, 02 Aug 2010, Christoph Anton Mitterer wrote: > > > > 2. How dangerous it is to feed the pool with stale seed data in the next > > > > boot (i.e. in a failure mode where we do not regenerate the seed file) ? > > > > Not at all. > > Are the above to statements also true for possibly "evil" random data? Yes. I think you could consider that seeding with evil data does as much damage as not seeding at all. Unless there is a big bad bug somewhere, in which case we'd very much like to know about it ;-) > Working with a Gird-CA for the LHC - we're always interested in nice > tokens like: > http://www.entropykey.co.uk/ > > Unfortunately it's never really clear how well their contribution would > actually be.... and the paranoid below us could even believe, that > mighty government organisations have such devices hacked in order to > harm our crypto ;) Well, if you overestimate the entropy that thing will output, it might cause harm. If it has a self-sabotage device that is intelligent enough not to fail the tests done by the application that feeds entropy to the kernel, it might cause harm. The list goes on and on... -- "One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie." -- The Silicon Valley Tarot Henrique Holschuh -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
From: Matt Mackall on 2 Aug 2010 01:00
On Mon, 2010-08-02 at 00:52 +0200, Christoph Anton Mitterer wrote: > Hey Matt... > > May I ask you a follow-up question on that,... which is however not so > much Debian-init-related, I guess. > > > On Mon, 2010-07-05 at 13:40 -0500, Matt Mackall wrote: > > > > 1. How much data of unknown quality can we feed the random pool at boot, > > > > before it causes damage (i.e. what is the threshold where we violate the > > > > "you are not goint to be any worse than you were before" rule) ? > > > > There is no limit. The mixing operations are computationally reversible, > > which guarantees that no unknown degrees of freedom are clobbered when > > mixing known data. > > > > > > 2. How dangerous it is to feed the pool with stale seed data in the next > > > > boot (i.e. in a failure mode where we do not regenerate the seed file) ? > > > > Not at all. > > Are the above to statements also true for possibly "evil" random data? Yes. Mixing in known values will not cause the contents of the pool to become 'more known'. This is what I mean about reversible mixing (without getting too technical): you can mix in a billion known values, then mathematically reverse the billion mixing operations to return to the original unknown state. Which means that the state after a billion operations has just as much unknown-ness as it did when it started. Here's the simplest version: consider that you've got a single unknown bit X. Then you "mix" in Y1...Y9999 with X'=X^Y (reversible with X=X'^Y). Because you don't know anything about X beforehand, no number or pattern of bits Yn is going to improve your guess of the final value of X - after each operation, it's still exactly as unguessable as before. Crucially, though, if you start with a _known_ value and mix in _unknowns_ (what you're usually trying to do), the resulting state's unknown-ness increases. With a good mixing function (and ours is pretty decent), repeated addition of unknown values rapidly saturates the unknown-ness of the pool. -- Mathematics is the supreme nostalgia of our time. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo(a)vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/ |