[148909] in cryptography@c2.net mail archive
[Cryptography] Timing of saving RNG state
daemon@ATHENA.MIT.EDU (Viktor Dukhovni)
Fri Jan 3 14:39:41 2014
X-Original-To: cryptography@metzdowd.com
Date: Fri, 3 Jan 2014 19:37:49 +0000
From: Viktor Dukhovni <cryptography@dukhovni.org>
To: cryptography@metzdowd.com
In-Reply-To: <20140103180116.GB4336@thunk.org>
Reply-To: cryptography@metzdowd.com
Errors-To: cryptography-bounces+crypto.discuss=bloom-picayune.mit.edu@metzdowd.com
On Fri, Jan 03, 2014 at 01:01:16PM -0500, Theodore Ts'o wrote:
> So for example, it's a really good idea to seed Linux's /dev/random
> with some unpredictable randomness. We save some before system
> shutdown, and we reinitialize it with it on system startup. But if
> you are starting up a VM from scratch, initializing the seed file with
> a secret is a useful thing to do.
Speaking of the timing of RNG state save/restore, Nico Williams
observes that it would be prudent to save state not only on (clean)
shutdown, but also at startup, immediately after the previously
saved seed is loaded. That way after a power-outage, panic, ...
the seed does not start in the same state as on previous boot.
[ Clearly the saved seed must be derived and later restored in a
way that ensures that the resumed PRNG stream is not identical with
stream that will be generated from the state at the time of the
checkpoint. This is not a difficult requirement to meet. ]
--
Viktor.
_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography
