We have been discussing the importance of a unique random-seed file each system. This is important even forsystems that boot from read-only media such as CD.
To make this somewhat more practical, I have written a script to remix a .iso image so as to add one or more last-minute files. The leading application (but probably not the only application) is adding random-seed files. The script can be found at http://www.av8n.com/computer/fixup-live-cd This version is literally two orders of magnitude more efficient than the rough pre-alpha version that I put up yesterday ... and it solves a more general problem, insofar as random-seed files are not the only things it can handle. Early-boot software is outside my zone of comfort, let alone expertise, so I reckon somebody who is friends with Casper could make further improvements ... but at least for now this script serves as an "existence proof" to show that a) the PRNG situation is not hopeless, even for read-only media; and b) it is possible to remix Live CD images automatically and somewhat efficiently. I think by taking two steps we can achieve a worthwhile improvement in security: -- each system should have its own unique random-seed file, with contents not known to the attackers; and -- the init.d/urandom script should seed the PRNG using "date +%s.%N" (as well as the random-seed file). Neither step is worth nearly as much without the other, but the two of them together seem quite worthwhile. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com