Home page logo

bugtraq logo Bugtraq mailing list archives

Re: /dev/random is probably not
From: Jack Lloyd <lloyd () randombit net>
Date: Tue, 5 Jul 2005 12:45:14 -0400

On Sun, Jul 03, 2005 at 12:39:30PM -0700, Zow Terry Brugger wrote:

It's been a while since I looked at the /dev/random design on Linux (probably 
the early 2.4 days), however one thing that was quite clear was that they did 
not use any network I/O as entropy sources because an attacker, particularly 
one that already had control of other machines on the same LAN segment, could 
have a high degree of control over that source. I would be most interested if 
that has changed since the last time I looked at it.

ISTR that grsecurity has toggles that enable gathering entropy from network
traffic. Assuming the PRNG is any good, it shouldn't matter if an attacker can
manipulate such timings, because (by definition) a good PRNG will still behave
correctly even if an attacker does feed it lots of deliberately bad data (as
long as the PRNG also has been fed with a sufficient amount of unguessable
'good' input as well, of course).

   Windows family OSs.

All I can observe here is that F-secure SSH still (at least the most recent 
version I've used) collects its own entropy when running on Win2K, which 
indicates to me that either they want to operate the same on all Windows 
versions (as memory serves, Win95/98 does not have a RNG), or that Win2k does 
not have a suitable RNG.

Only Win95 pre OSR2 is missing CryptoAPI (and specifically CryptGenRandom).
However, it's my understanding that early versions of CryptGenRandom were not
that great.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]