Jason A. Donenfeld wrote in <CAHmME9p=nqmmkmets_8uv4xnhwcjufjhf5sy32frjnetath...@mail.gmail.com>: ... |Again, stop charging steadfastly toward creating vulnerabilities |because you don't understand things. The scenario is: | |- RNG is seeded and credited using file A. |- File A is unlinked but not fsync()d. |- TLS connection does something and a nonce is generated. |- System loses power and reboots. |- RNG is seeded and credited using same file A. |- TLS connection does something and the same nonce is generated, |resulting in catastrophic cryptographic failure.
But mind you. Does the kernel _not_ incorporate system times and a few interrupts here and there unto this point already. And some hardware crypto seed if available. So if the _same_ nonce is generated even if a _VM_ is started a second time, inside the VM, which does generate its own random not virtio-rng, no matter what, then the system is broken per se. Isn't it. Haven't looked, but i'd assume that both the internal and the external pool (if it is done like this, i think it was so in the past) are not exposed but Blake2 (that you have chosen and were credited by Bruce Schneier for the decision) digested, what is used, then. So assuming there is a sliding window on the internal seed pool that is actually digested (first), moving that window randomly is an option. Ie like -fPIC swirling uses, but with a higher effective entropy as the internal seed buffer content is totally unknown. So the mathematical formula that describes the theoretical actual entropy when done like this is stunning. You know, why always start at the beginning? You know this of course. Ciao, --steffen | |Der Kragenbaer, The moon bear, |der holt sich munter he cheerfully and one by one |einen nach dem anderen runter wa.ks himself off |(By Robert Gernhardt) _______________________________________________ busybox mailing list busybox@busybox.net http://lists.busybox.net/mailman/listinfo/busybox
