----- Mail original ----- > De: "Roman Yeryomin" <leroi.li...@gmail.com> > À: "OpenWrt Development List" <openwrt-devel@lists.openwrt.org> > Envoyé: Jeudi 12 Janvier 2012 16:52:36 > Objet: Re: [OpenWrt-Devel] [PATCH] Haveged entropy gathering daemon - Package > > > If I remember correctly there were some security reasons of removing > it from the kernel.
There is 2 reasons: First, network could be sniffed and one could use that knowledge to know what have been added to the entropy pool at which exact time. Very hard to do and much much harder when there is multiple networks as usually you are not able to sniff all networks at the same time. Secondly, dev/random content is supposed to count only first class entropy for crypto purpose, so if you add content that is not of the first class quality, you lie on the size of available entropy. I think the real reason is that mostly programmers are paid to make big server work in a secure way. If a server has only one network card active and that card feed the entropy pool, that would be bad for security if able to sniff that network. So from an audit point of view, it is better to remove an uncertain entropy source. Secondly, big server this day have hardware noise generator to feed the entropy pool. > Although I've done this on ramips platform and didn't face any issues > I think that, potentially, a better source or entropy would be radio > noise. Of cause if it's possible to get. > As network traffic from cable, radio noise could be sniffed, on the radio case even without physical access. So that may not be better, maybe even worst. Gilles _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
