On 9/10/2012 1:32 PM, Arthur Mesh wrote:
> On Mon, Sep 10, 2012 at 01:02:45PM -0700, Doug Barton wrote:
>>> I was exaggerating a bit - but my reasoning was that since it hasn't
>>> blown up in our faces yet, it's probably subtle enough to require a
>>> large number of samples.
>>
>>
>> If I were Arthur, here is how I would test the "replay attack" assertion:
>>
>> 1. Install a virgin system with everything as it was before David's
>> first commit, and let it run for 24 hours with all the defaults intact.
>> Ideally, have it do something over the network periodically to make sure
>> that some kind of entropy is harvested from the network drivers. Run
>> 'find / -name SASLKASDJKL' to make sure you get some from the disk
>> drivers too.
>> 2. Disable the cron job for the /var/db/entropy script, and comment out
>> the writing of /entropy at shutdown time in /etc/rc.d/random.
>> 3. Write a script to reboot, and once the system is fully booted do 'dd
>> if=/dev/random of=saved-random-out.$i count=4096' then reboot again
>> immediately. Values of i from 1 to 10,000 ought to do it.
>> 4. sha256 the saved-random-out files and see how many duplicates there are.
>
> This test doesn't prove anything useful for the reason des@ outlined.
>
> To summarize, I have provided my findings and reasoning multiple times.
> I've sent a separate report with pointers to problematic code of how
> entropy is consumed by yarrow to secteam@.
I'm interested in that as well. If someone from secteam@ would like to
forward that to me I'd appreciate it. I will of course keep it
confidential.
Meanwhile can you state publicly whether or not your testing included
using dd to feed the device, as is currently done?
> You keep asking for empirical proof of my claims.
>
> There are two claims that I make:
>
> 1) entropy isn't fully consumed by yarrow all the time - for this I have
> empirical proof.
I will take your word on that, but before we make any changes to how we
use the entropy in the system it would be nice if secteam@ were to
discuss publicly the implications of your findings. Or, collaborate with
you and I privately to make sure that the proper changes get made.
> 2) reusing entropy seeds is a bad thing - for this I don't have
> empirical proof. But I have Bruce Schneier's word.
And as I have stated repeatedly, you and David are misapplying what
you're reading.
> Take it or leave it.
If those are my choices, I choose "leave it." :) Without any actual
proof that reusing the static entropy files causes harm, I would like to
ask that the postrandom script be backed out.
I will be working on my ideas to pseudo-randomize the order in which the
files from /var/db/entropy are used, and to add a new file there at boot
time, as discussed previously. I will submit those diffs for comment
before I act on them though.
Doug
--
I am only one, but I am one. I cannot do everything, but I can do
something. And I will not let what I cannot do interfere with what
I can do.
-- Edward Everett Hale, (1822 - 1909)
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
