[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: /dev/random for FreeBSD [was: Re: /dev/random for Linux]



   Date: Mon, 30 Oct 1995 21:25:50 +0200
   From: Mark Murray <[email protected]>

   Version 0.92 21st Sept 1995.

Yup, there's a more recent version in the Linux tree at this point.

   Something I didn't mention earlier; we felt that letting the unwashed
   masses read /dev/*random was not a good idea, as they could deplete
   the pool of entropy all to easily for attack purposes. 

That should be a system administration issue.  If someone wants to make
/dev/random readable only by root at their site, that's their business.
I don't see any point in trying to enforce that in the kernel code.

I don't agree that restricting read access is useful.  First of all, if
the pool of entropy is depleted, someone who tries to obtain entropy by
reading /dev/random will know that they didn't get enough entropy.  So
assuming a program that actually checks return values from system calls,
this is at worse a denial of service attack, and there are much easier
ways of performing those srots of attacks: "while (1) fork()", for
example.

Secondly, making /dev/random only readable by "privileged programs"
means that people won't be able to compile their own version of PGP that
can take advantage of the random number generator.  Instead, they would
have to use a setuid version of PGP, and I'm quite sure PGP wasn't
written such that it would be safe to turn on its setuid bit.  

Finally, even if you did have trustworthy applications which you could
setuid and only allow those programs to have access to /dev/random,
someone who repeatedly ran those applications could still end up
depleteing the pool of entropy.

So in the general case I would advise that /dev/random be left world
readable, since you *do* want general user programs to have access to
high quality random numbers.  

   For the same (or similar) reason, giving the said unwashed masses
   _write_ privelige might allow them to set /dev/*random to a known
   state. You've probably already thought of this, but I just had to say
   it :-).

Again, /dev/random can be set to whatever permissions the system
administrator wants.  Secondly, writing to /dev/random merely adds
randomness to the pool, via the mixing algorithm.  It won't actually
permit people to *set* the state of the pool, and assuming that the
state of the pool is not known before the write operation, writing to it
won't allow the user to know what the state is after the write
operation.

The ioctl() which sets the entropy estimate, however, *does* need to be
runnable only by the superuser, however, since that does represent an
attack path.

And, for race condition reasons, something which I need to implement
soon is an ioctl(), usuable only by root, that simultaneously updates
the entropy estimate *and* submits data to be mixed into the pool.  (Why
this is necessary should be obvious after a few minutes thought.)

   > For example, although it
   > may not be obvious, the network interrupt may not be a good choice,
   > since an adversary who is monitoring the ethernet cable can make a
   > pretty good guess about the timing of your network interrupts, and hence
   > what the likely inputs are to the random number pool might be.

   Are you sure about this? The stochastisity if this would be pretty
   hefty. Not only would our attacker have to get the _time_ that the
   interrupt occurred (if it interrupted our machine), he would then have
   to process in brute-force mode all possible times in his error range.
   What is more, more interrupts are coming in...

I didn't say that it would be trivial for an attacker to do this, but
it's certainly *doable*.  Some of the network traffic analyzers that
have been made available (I think Sandia National Labs has one that does
this), records down to millisecond accuracy when a packet was sniffed on
the network.  

For this reason, people shouldn't really trust initializing PGP's random
number generator over a network connection, since it is possible for an
adversary to obtain very high quality timings of when your telnet or
rlogin packets appeared on the network, and hence be able to guess
(within some error range) what the interkeyboard timings which PGP used
to initialize its random number generator.

The adversary might have to try a large number of possibilities, but if
the number of possibilities is less than a brute-force search, you
definitely have a weakness --- a fact which Netscape learned to its
embarassment a few weeks ago.

   Hokay! Please also send me _your_ latest. (BTW - did Linus put it in
   his latest kernel?)

Yup.  1.1.34 and higher has most of my changes.  (I'm still making
changes which are still in development, though.  Mostly incremental
improvements of one sort or another.)

							- Ted