Re: The perils of security tools
Ben Laurie [EMAIL PROTECTED] writes: Steven M. Bellovin wrote: On Sat, 24 May 2008 20:29:51 +0100 Ben Laurie [EMAIL PROTECTED] wrote: Of course, we have now persuaded even the most stubborn OS that randomness matters, and most of them make it available, so perhaps this concern is moot. Though I would be interested to know how well they do it! I did have some input into the design for FreeBSD's, so I know it isn't completely awful, but how do other OSes stack up? I believe that all open source Unix-like systems have /dev/random and /dev/urandom; Solaris does as well. I meant: how good are the PRNGs underneath them? For the linux kernel, there is a paper: http://eprint.iacr.org/2006/086 Another important aspect is the semantics of the devices: None of the /dev/*random devices are standardized anywhere (as far as I know). There semantics can and do differ. This is a larger practical problem. For example, reading a lot of data from linux's /dev/urandom will deplete the entropy pool in the kernel, which effectively makes reads from /dev/random stall. The two devices uses the same entropy pool. I believe a much better approach would be if /dev/urandom was a fast and secure PRNG, with perfect-forward-secrecy properties, and /dev/random was a slow device with real entropy (whatever that means..) gathered from the hardware. The two devices would share little or no code. The /dev/urandom PRNG seed could be fed data from /dev/random from time to time, or from other sources (like kernel task switching timings). I believe designs like this have been proposed from time to time, but there hasn't been any uptake. /Simon - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
not crypto, but fraud detection
*Irish Bank Debit Card Skimmers Net €1m* http://www.epaynews.com/index.cgi?survey=ref=browsef=viewid=121179135013743148197block= from above: Most of the withdrawals took place at the end of April and early May 2008. Many of the victims contacted their banks to notify them of the withdrawals, as the banks’ fraud detection systems had failed to spot the suspicious activity. ... snip ... - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The perils of security tools
Steven M. Bellovin wrote: On Sat, 24 May 2008 20:29:51 +0100 Ben Laurie [EMAIL PROTECTED] wrote: Of course, we have now persuaded even the most stubborn OS that randomness matters, and most of them make it available, so perhaps this concern is moot. Though I would be interested to know how well they do it! I did have some input into the design for FreeBSD's, so I know it isn't completely awful, but how do other OSes stack up? I believe that all open source Unix-like systems have /dev/random and /dev/urandom; Solaris does as well. Yes, but with different semantics: /dev/urandom is a compatibility nod to Linux. On Linux, /dev/urandom will produce lower quality output if the entropy pool drains, while /dev/random will prefer to block and wait for additional entropy to be collected. With Yarrow, this choice and distinction is not necessary, and the two devices behave identically. You may use either. (random(4) from Mac OSX.) Depending on where you are in the security paranoia equation, the differences matter little or a lot. If doing medium level security, it's fine to outsource the critical components to the OS, and accept any failings. If doing paranoid-level stuff, then best to implement ones own mix and just stir in the OS level offering. That way we reduce the surface area for lower-layer config attacks like the Debian adventure. iang - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The perils of security tools
On May 24, 2008, at 9:18 PM, Steven M. Bellovin wrote: I believe that all open source Unix-like systems have /dev/random and /dev/urandom; Solaris does as well. By the way, Solaris is an open source Unix-like system nowadays. ;-) Regards, Zooko - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]
Re: The perils of security tools
On May 25, 2008, at 6:02 AM, Ben Laurie wrote: I meant: how good are the PRNGs underneath them? Not a direct answer to your question, but somewhat relevant as context is Michal Zalewski's analysis of TCP/IP sequence number predictability across operating systems: http://lcamtuf.coredump.cx/newtcp/ It's several years out of date, however. -- Ivan Krstić [EMAIL PROTECTED] | http://radian.org - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to [EMAIL PROTECTED]