At 05:06 AM 8/8/99 -0400, Theodore Y. Ts'o wrote:
>So if I understand your reasoning, your attack posits that you start at
>the very beginning, where the pool has only (say) 50 bits of entropy,
>but the pool *thinks* it has a few hundred bits of entropy. Basically,
>the idea is you assume the pool's starting state, and can try all 2**50
>possible inputs that might have been mixed into the pool, and try to
>match it with the output to /dev/random, right?
Yes, that's the basic attack, with whatever differential analysis
can help out.
>One of the things which makes this difficult is that as soon as the
>machine boots, every single disk access will be result in timing access
>data which gets mixed into the pool.
The problem, for the linux-ipsec community, is that the machine may be
diskless,
and may not have a soundcard, so the main source of randomness is
network timing, which nobody's very thrilled with either.
>Next, one of the other hurdles an attacker has to surmount is the
>mixing of data from a previous boot. During the shutdown process, the
>/etc/rc.d scripts ask /dev/urandom to generate a block of random data
>equal to the size of the entropy pool, and this is stored in a file
>readable only by root, typically /var/run/random-seed.
>
>During the boot sequence, the contents of that file is mixed into the
>entropy pool. *However*, the entropy count is not credited in this
>operation.
This is good.
Thanks!
Bill
Bill Stewart, [EMAIL PROTECTED]
PGP Fingerprint D454 E202 CBC8 40BF 3C85 B884 0ABE 4639
