mailing list archives
Re: Tempfile vulnerabilities
From: schoen () LOYALTY ORG (Seth David Schoen)
Date: Mon, 7 Feb 2000 16:01:21 -0800
Ian Turner writes:
Can be so easy to DoS cryptographic software?
Yes. If you don't trust your users to not deplete the entropy, then don't
give them permission to read it.
An intermediate possibility is to have multiple RNGs with multiple sources
of entropy, or multiple RNGs with entropy divided among them somehow, or
a single RNG which enforces a reasonable policy of some sort when multiple
processes want to access it at once.
Modern multiuser operating systems have solved all _kinds_ of problems around
concurrency and dealing with contention over a shared resource. There is
no reason that they should not be able to do exactly the same thing for an
entropy pool, if it becomes an issue.
Seth David Schoen <schoen () loyalty org> | And do not say, I will study when I
Temp. http://www.loyalty.org/~schoen/ | have leisure; for perhaps you will
down: http://www.loyalty.org/ (CAF) | not have leisure. -- Pirke Avot 2:5
Re: Tempfile vulnerabilities Neil Blakey-Milner (Feb 02)
Re: Tempfile vulnerabilities Niall R. Murphy (Feb 01)
Re: Tempfile vulnerabilities Horst von Brand (Feb 09)