[145592] in cryptography@c2.net mail archive
/dev/random and virtual systems
daemon@ATHENA.MIT.EDU (Yaron Sheffer)
Mon Aug 2 15:42:04 2010
Date: Mon, 02 Aug 2010 22:38:10 +0300
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: cryptography@metzdowd.com
Hi,
the interesting thread on seeding and reseeding /dev/random did not
mention that many of the most problematic systems in this respect are
virtual machines. Such machines (when used for "cloud computing") are
not only servers, so have few sources of true and hard-to-observe
entropy. Often the are cloned from snapshots of a single virtual
machine, i.e. many VMs start life with one common RNG state, that
doesn't even know that it's a clone.
In addition to the mitigations that were discussed on the list, such
machines could benefit from seeding /dev/random (or periodically
reseeding it) from the *host machine's* RNG. This is one thing that's
guaranteed to be different between VM instances. So my question to the
list: is this useful? Is this doable with popular systems (e.g. Linux
running on VMWare or VirtualBox)? Is this actually being done?
Thanks,
Yaron
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
