At 10:04 PM 7/17/99 -0700, Mike Brodhead wrote:
>> Step 3a) If Whitney is getting key material from /dev/random, the result
is
>> a denial of service. All the IPsec tunnels will time out and will be
>> replaced slowly or not at all, because of the entropy shortage.
>
>seems to me that the reason the denial of service attack works does
>not have anything to do with the randomness per se. the attack works
>because the host must expend a lot of time and/or CPU juice before the
>new connection is determined to be bogus.
/dev/random only gives you bits that it thinks have good entropy,
and stalls or fails if you ask for more bits than it has right now,
and the pool of entropy it keeps is small, up to ~4096 bits.
Most machines can calculate public key encryption much faster than
they can obtain new physical or other high-quality entropy.
So if an attacker does enough connection requests or rekeys,
he can easily blow through 4096 bits of entropy.
/dev/urandom will give you pseudo-random bits if it's run out of entropy,
so you've got the security risks inherent in that.
As David Honig points out, you can't avoid those alternatives,
so if you need the high quality randomness, you need hardware randomizers.
Some of the key setup protocols are designed to reduce CPU-busting attacks;
Photuris does so explicitly, but I think someone's said that
ISAKMP/IKE doesn't do this well enough.
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
