Am Freitag, 13. September 2013, 14:59:31 schrieb Theodore Ts'o: Hi Theodore,
>On Fri, Sep 13, 2013 at 07:36:20AM +0200, Stephan Mueller wrote: > >However, if you are worried about a malicious entropy source, things >are a little bit different. Suppose RDRAND == AES(i++, NSA_KEY), >where the NSA doesn't know the starting value of i. But if it get can >get a raw RDRAND value (say, someone uses it without doing any >whitening as a session key or as a D-H parameter), it can decrypt the >output using the NSA_KEY, and then now that it knows i, it can brute >force break the RDRAND output, even if it's not entirely sure how many >times RDRAND has been called between that cleanb RDRAND value and the >RDRAND output it is trying to break. > >In *this* case, smearing out the value of RDRAND across the entropy >pool does help, becuase it makes it significantly harder to get a >clean RDRAND value to decrypt. Agreed. I was only talking about "well-behaved" entropy sources. > > >That being said, the much bigger problem that I'm worried about is not >necessarily a trojan'ed RDRAND, but rather on embedded ARM and MIPS >devices where we have unsufficient entropy, and on the first boot out >of the box, there is no random seed file that can be fixed in at boot Yes, my local MIPS-based router which is a very ubiquitous one in Germany (Fritz Box) does not seed /dev/random but yet starts using /dev/urandom during boot cycle. >time. Mixing in personalization information (serial numbers, MAC >addresses) which *hopefully* the NSA wouldn't know in the case of >pervasive, bulk surveillance, is a bit of a help. But it's certainly >no help against a direct, targetted attack. That is why I am hoping that the CPU jitter as harvested by my RNG will help as it delivers entropy on demand in a bandwidth where the initial seeding may not needed any more and we have sufficient entropy during boot sequence. > >Regards, > > - Ted Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
