[148074] in cryptography@c2.net mail archive
Re: [Cryptography] randomness +- entropy
daemon@ATHENA.MIT.EDU (Yaron Sheffer)
Thu Nov 7 13:44:08 2013
X-Original-To: cryptography@metzdowd.com
Date: Thu, 07 Nov 2013 11:41:02 +0200
From: Yaron Sheffer <yaronf.ietf@gmail.com>
To: Theodore Ts'o <tytso@mit.edu>,
Hannes Frederic Sowa <hannes@stressinduktion.org>
In-Reply-To: <20131106031416.GG14235@thunk.org>
Cc: John Kelsey <crypto.jmk@gmail.com>, Watson Ladd <watsonbladd@gmail.com>,
Cryptography <cryptography@metzdowd.com>,
RNG mlist <rng@lists.bitrot.info>, John Denker <jsd@av8n.com>
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
> On Wed, Nov 06, 2013 at 12:38:32AM +0100, Hannes Frederic Sowa wrote:
>>
>> Why not always print a warning once if someone tried to extract
>> randomness before the pool was fully initialized? I would even consider
>> adding a WARN_ONCE there so that it is really visible to the user. Maybe
>> kernelooops.org or some other distro infrastructure could uncover which
>> devices have their nonblocking random pool initialized too late.
>
> What, you mean like this?
>
> http://git.kernel.org/cgit/linux/kernel/git/tytso/random.git/commit/?h=dev&id=392a546dc8368d1745f9891ef3f8f7c380de8650
>
> Actually, things aren't too bad. The primary problematical caller
> that I noted was:
>
> random: rc80211_minstrel_ht_init+0x2b/0x6a get_random_bytes called with 23 bits of entropy available
>
> ... however, this looks like it's not a security problem, since as
> near as I can tell the code in question doesn't actually need
> cryptographic randomness. It simply dates back to before
> prandum_u32() existed in the kernel. (We have a similar use case in
> ext4, where we're we only need a PRNG, and not a CSRNG. Although
> fortunately, by the time the file system is remounted r/w, urandom is
> typically already initialized, so we're not actually triggering this
> warning.)
>
When this Minstrel guy reads urandom (which only has 23 bits of entropy
at the time), do you reset the entropy estimate to 0? If you don't, and
Minstrel broadcasts the random value somehow (in this case, as a timing
value) an attacker can easily discover the first 23 bits of entropy
which would make guessing the PRNG value of the next consumer much easier.
Thanks,
Yaron
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography