[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: /dev/random for FreeBSD [was: Re: /dev/random for Linux]



>    Something I didn't mention earlier; we felt that letting the unwashed
>    masses read /dev/*random was not a good idea, as they could deplete
>    the pool of entropy all to easily for attack purposes. 
> 
> That should be a system administration issue.  If someone wants to make
> /dev/random readable only by root at their site, that's their business.
> I don't see any point in trying to enforce that in the kernel code.

Is not in the kernel, this is just the permissions on /dev/*random.

> I don't agree that restricting read access is useful.  First of all, if
> the pool of entropy is depleted, someone who tries to obtain entropy by
> reading /dev/random will know that they didn't get enough entropy.  So
> assuming a program that actually checks return values from system calls,
> this is at worse a denial of service attack, and there are much easier
> ways of performing those srots of attacks: "while (1) fork()", for
> example.

Hmm. Lemme think about this...

> Secondly, making /dev/random only readable by "privileged programs"
> means that people won't be able to compile their own version of PGP that
> can take advantage of the random number generator.  Instead, they would
> have to use a setuid version of PGP, and I'm quite sure PGP wasn't
> written such that it would be safe to turn on its setuid bit.  

How about SetGID? We were going for 660 root.kmem.

> Finally, even if you did have trustworthy applications which you could
> setuid and only allow those programs to have access to /dev/random,
> someone who repeatedly ran those applications could still end up
> depleteing the pool of entropy.
> 
> So in the general case I would advise that /dev/random be left world
> readable, since you *do* want general user programs to have access to
> high quality random numbers.  

Ponder... I'll put this forward.

> Again, /dev/random can be set to whatever permissions the system
> administrator wants.  Secondly, writing to /dev/random merely adds
> randomness to the pool, via the mixing algorithm.  It won't actually
> permit people to *set* the state of the pool, and assuming that the
> state of the pool is not known before the write operation, writing to it
> won't allow the user to know what the state is after the write
> operation.

What happens if some attacker does:

for (;;) {
	write_to_devrandom(NULL);
	check_to_see_if_state_is_crackable();
}

? "Gut feel" suggests to me that large ammounts of "predicted" input might
be worse than the normal sort of system noise you have been using.

> And, for race condition reasons, something which I need to implement
> soon is an ioctl(), usuable only by root, that simultaneously updates
> the entropy estimate *and* submits data to be mixed into the pool.  (Why
> this is necessary should be obvious after a few minutes thought.)

Clue me in - I'm not quite with you? :-)

>    Are you sure about this? The stochastisity if this would be pretty
>    hefty. Not only would our attacker have to get the _time_ that the
>    interrupt occurred (if it interrupted our machine), he would then have
>    to process in brute-force mode all possible times in his error range.
>    What is more, more interrupts are coming in...
> 
> I didn't say that it would be trivial for an attacker to do this, but
> it's certainly *doable*.  Some of the network traffic analyzers that
> have been made available (I think Sandia National Labs has one that does
> this), records down to millisecond accuracy when a packet was sniffed on
> the network.  

Is this millisecond accuracy quantifiable in terms of bits of entropy?
if so, the ethernet is surely safe?

> For this reason, people shouldn't really trust initializing PGP's random
> number generator over a network connection, since it is possible for an
> adversary to obtain very high quality timings of when your telnet or
> rlogin packets appeared on the network, and hence be able to guess
> (within some error range) what the interkeyboard timings which PGP used
> to initialize its random number generator.
> 
> The adversary might have to try a large number of possibilities, but if
> the number of possibilities is less than a brute-force search, you
> definitely have a weakness --- a fact which Netscape learned to its
> embarassment a few weeks ago.

Again, if you can quantify the number of possibilities into bits of entropy,
your code is good. Depending on current technology, this may have to change.

M

--
Mark Murray
46 Harvey Rd, Claremont, Cape Town 7700, South Africa
+27 21 61-3768 GMT+0200
Finger [email protected] for PGP key