Home page logo

bugtraq logo Bugtraq mailing list archives

Re: Tempfile vulnerabilities
From: schoen () LOYALTY ORG (Seth David Schoen)
Date: Mon, 7 Feb 2000 16:01:21 -0800

Ian Turner writes:

Can be so easy to DoS cryptographic software?

Yes. If you don't trust your users to not deplete the entropy, then don't
give them permission to read it.

An intermediate possibility is to have multiple RNGs with multiple sources
of entropy, or multiple RNGs with entropy divided among them somehow, or
a single RNG which enforces a reasonable policy of some sort when multiple
processes want to access it at once.

Modern multiuser operating systems have solved all _kinds_ of problems around
concurrency and dealing with contention over a shared resource.  There is
no reason that they should not be able to do exactly the same thing for an
entropy pool, if it becomes an issue.

Seth David Schoen <schoen () loyalty org>  | And do not say, I will study when I
Temp.  http://www.loyalty.org/~schoen/  | have leisure; for perhaps you will
down:  http://www.loyalty.org/   (CAF)  | not have leisure.  -- Pirke Avot 2:5

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]