On Sat, 17 Jul 1999, John Denker wrote:
> I have a question about various scenarios for an attack against IPsec by way
> of the random number generator. The people on the linux-ipsec mailing list
> suggested I bring it up here.
>
> Step 3a) If Whitney is getting key material from /dev/random, the result is
> a denial of service. All the IPsec tunnels will time out and will be
> replaced slowly or not at all, because of the entropy shortage.
>
> Step 3b) OTOH if Whitney is getting its key material from /dev/urandom
> (that's urandom with a U), then we don't have a DoS attack, but instead we
> have a situation where the attacker can mount a low-entropy attack against
> any or all of the other tunnels. Yuuuuuuuck.
The short answer is that both /dev/urandom AND /dev/random should be made
to use yarrow - http://www.counterpane.com/yarrow.html
If you do the internal pool mixing properly you can keep pulling out bits
forever without any real danger, and nobody, and I mean NOBODY needs one
full bit of entropy for every 'random' bit they produce. They just need
the total number of bits of entropy to be cryptographically large.
I'm not sure if anybody's yarrowified /dev/random yet - I think someone
from coderpunks was working on it.
-Bram
