On Wed, 14 Feb 2001 [EMAIL PROTECTED] wrote:
> > I don't think I need to tell people on this list
> why that's absolutely
> > horrible; I'm just pointing out that code is
> still released today with
> > crap like this. I would have thought we'd
> learned this lesson years
> > ago with the AFS, krb4, Netscape, et al
> vulnerabilities.
>
>
> YOu know what? I happen to agree with you -- so
> far as this not being a particularly lovely way to
> seed a PRNG goes. Due to a miscommunication, some
> documentation of why one *really* oughtn't use
> this fallback method wasn't included in the public
> FreSSH distribution -- thankfully, since just
> about everyone in the world *does* have a
> /dev/random (whatever name it's called by; this
> code is in an OS-dependent source file that has
> the appropriate name for the OS in question in it)
> just about nobody does get stuck with this.
If only this was the case! AIX, HP/UX, Solaris (without addons) and most
other commerical Unices lack /dev/random so this fallback is almost
certain.
> However, some more notes on what they get stuck
> with:
>
> * worst-case, it degenerates to the internal
> seeding of the OpenSSL PRNG, even if we fed it
> _nothing_ else at all. OpenSSL doesn't really
> suck about this.
OpenSSL's random number routines don't suck, but they don't do any real
seeding of their own. Fortunately recent versions will fail when
attempting to obtain randomness when the PRNG has not been correctly
seeded, Unfortunately the bad code mentioned may pump enough bytes into
the PRNG for it to consider itself seeded - thus losing OpenSSL's
protection.
> * it doesn't _quite_ degenerate to just the code
> you pasted above; several timings are mixed in,
> not just at seed time but over the course of the
> daemon's run.
Have you estimated the total entropy supplied by this seeding activity? It
needs to be (at the very least) greater than the entropy consumed in
generating
1) long term server keys
2) 'ephemeral' server RSA keys
3) session keys
-d
--
| Damien Miller <[EMAIL PROTECTED]> \ ``E-mail attachments are the poor man's
| http://www.mindrot.org / distributed filesystem'' - Dan Geer
