Re: /dev/random and virtual systems
At 10:38 PM +0300 8/2/10, Yaron Sheffer wrote: the interesting thread on seeding and reseeding /dev/random did not mention that many of the most problematic systems in this respect are virtual machines. Such machines (when used for cloud computing) are not only servers, so have few sources of true and hard-to-observe entropy. Often the are cloned from snapshots of a single virtual machine, i.e. many VMs start life with one common RNG state, that doesn't even know that it's a clone. In addition to the mitigations that were discussed on the list, such machines could benefit from seeding /dev/random (or periodically reseeding it) from the *host machine's* RNG. This is one thing that's guaranteed to be different between VM instances. So my question to the list: is this useful? Is this doable with popular systems (e.g. Linux running on VMWare or VirtualBox)? Is this actually being done? It is certainly doable: put a file on the host whose contents are random and change every second. On the VM, read that file on wakeup or boot and mix it into /dev/random. This guarantees a different value for each wakeup/boot, but not that every cloned machine that starts will have a unique state (because they might start within the same refresh. If you need that, you probably want to automatically mix a microsecond-accurate time at the same time. --Paul Hoffman, Director --VPN Consortium - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: /dev/random and virtual systems
On Mon, 02 Aug 2010, Yaron Sheffer wrote: the interesting thread on seeding and reseeding /dev/random did not mention that many of the most problematic systems in this respect are virtual machines. Such machines (when used for cloud Any decent hypervisor can supply entropy to the VMs. For about US$100/hypervisor you add a slow speed (less than 1Mbit/s) TRNG, or you can get a high-speed one for around US$ 1000/hypervisor, and distribute the entropy for all VMs. It is very cost-effective. Datacenters are easy, you can just buy a few low power VIA PadLock boxes and have them distribute several Mbit/s of entropy over the network. You can have at least 2 of them per 1U, or a lot more for custom designs or piled up in 2U using a shelf. You don't need entropy to use assymetric crypto to authenticate, receive an encripted session key, and proceed to receive an encripted stream, so the network and a cluster of entropy boxes is usable for initial seeding as well. Desktops with live-CDs and half-assed embedded boxes that lack a TRNG are the real problem. In addition to the mitigations that were discussed on the list, such machines could benefit from seeding /dev/random (or periodically reseeding it) from the *host machine's* RNG. This is one thing that's guaranteed to be different between VM instances. So my question to the list: is this useful? Is this doable with popular systems (e.g. Linux running on VMWare or VirtualBox)? Is this actually being done? It is done, yes. I am not sure how out-of-the-box that is, but there are Linux kernel drivers to get entropy from the hypervisor. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: /dev/random and virtual systems
On Mon, 2 Aug 2010, Yaron Sheffer wrote: In addition to the mitigations that were discussed on the list, such machines could benefit from seeding /dev/random (or periodically reseeding it) from the *host machine's* RNG. This is one thing that's guaranteed to be different between VM instances. So my question to the list: is this useful? Is this doable with popular systems (e.g. Linux running on VMWare or VirtualBox)? Is this actually being done? Both xen and kvm do not do this currently. It is problematic for servers. Paul - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: /dev/random and virtual systems
Hi, we are using haveged in our VMs to feed the random pool and it seems to work good (means: statistical verification of the output looks good, nearly 0 entropy overestimation, but we never correlated output from cloned VMs). I assume feeding the VMs from the host system can be problematic because the host system itself often doesn't have enough entropy. Much entropy is needed today for protocolls, session IDs and the elf_loader(!). Cheerio Thomas Am Montag 02 August 2010, 21:38:10 schrieb Yaron Sheffer: Hi, the interesting thread on seeding and reseeding /dev/random did not mention that many of the most problematic systems in this respect are virtual machines. Such machines (when used for cloud computing) are not only servers, so have few sources of true and hard-to-observe entropy. Often the are cloned from snapshots of a single virtual machine, i.e. many VMs start life with one common RNG state, that doesn't even know that it's a clone. In addition to the mitigations that were discussed on the list, such machines could benefit from seeding /dev/random (or periodically reseeding it) from the *host machine's* RNG. This is one thing that's guaranteed to be different between VM instances. So my question to the list: is this useful? Is this doable with popular systems (e.g. Linux running on VMWare or VirtualBox)? Is this actually being done? Thanks, Yaron - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: /dev/random and virtual systems
On Mon, 2 Aug 2010 20:17:42 -0300 Henrique de Moraes Holschuh h...@debian.org wrote: Desktops with live-CDs and half-assed embedded boxes that lack a TRNG are the real problem. I'm not sure what to do about the live CD problem, but in a previous iteration of this discussion a couple of years ago, I proposed that using a strong cipher (like AES) with a key installed at the factory was probably the right solution to the $40 embedded device problem. I can dig up my much longer exposition on that if anyone wishes. -- Perry E. Metzgerpe...@piermont.com - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
Re: /dev/random and virtual systems
On Mon, 02 Aug 2010, Paul Wouters wrote: On Mon, 2 Aug 2010, Yaron Sheffer wrote: In addition to the mitigations that were discussed on the list, such machines could benefit from seeding /dev/random (or periodically reseeding it) from the *host machine's* RNG. This is one thing that's guaranteed to be different between VM instances. So my question to the list: is this useful? Is this doable with popular systems (e.g. Linux running on VMWare or VirtualBox)? Is this actually being done? Both xen and kvm do not do this currently. It is problematic for servers. The virtio-rng driver does it almost out-of-the-box, but it is sort of new. Both Xen and KVM let you create communication channels between the Hypervisor and a specific VM, which you can use to distribute entropy from the hypervisor to rng-tools inside the VM. -- One disk to rule them all, One disk to find them. One disk to bring them all and in the darkness grind them. In the Land of Redmond where the shadows lie. -- The Silicon Valley Tarot Henrique Holschuh - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
/dev/random and virtual systems
Hi, the interesting thread on seeding and reseeding /dev/random did not mention that many of the most problematic systems in this respect are virtual machines. Such machines (when used for cloud computing) are not only servers, so have few sources of true and hard-to-observe entropy. Often the are cloned from snapshots of a single virtual machine, i.e. many VMs start life with one common RNG state, that doesn't even know that it's a clone. In addition to the mitigations that were discussed on the list, such machines could benefit from seeding /dev/random (or periodically reseeding it) from the *host machine's* RNG. This is one thing that's guaranteed to be different between VM instances. So my question to the list: is this useful? Is this doable with popular systems (e.g. Linux running on VMWare or VirtualBox)? Is this actually being done? Thanks, Yaron - The Cryptography Mailing List Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com
