> The actual time would probably be more useful than the time since > boot. Heck - I can use both. Its cheap enough. > I still have a problem with what I see as a fundamental weakness > in storing "randomness" across reboots. Schneier recommends this in his Yarrow paper. > Logically, given a sufficiently large amount of time between a > crash and the subsequent reboot, one could predict the random > state, and attack immediately after a reboot... just like one > could guess the fortune now, following a reboot. Sure. If you followed the complete thread, you'll see we are trying to deal with this. > The state save in the shutdown -- besides not working unless you > hopping on one leg, pat your head, and rub your tummy while > singinging "Danny Boy" (or the moral equivalent of not being > allowed to crash or use the "halt" or "reboot" commands) -- seems > to me to be an inherent security flaw. Not really. To exploit it, you need to be either root or have the console. It would be easier to get the state out of /dev/kmem at that stage. We covered this _months_ ago. > Matt's points about compromise, number of random bits, as well > as the amount of time it's OK to take, are also salient. > > Bottom line: any algorithm predicated only on saved state and > based on predictable progression over a large period of time in > which a compromise may be effected, is a problem. The relevance to Yarrow is...? And your solution is.....? > Perhaps it's time to draft a "big gun"? Someone who knows > enough about number theory to know that multiplying two > random numbers together results in less randomness, not more? Bruce Schneier good enough? > Or perhaps it's time to use a "tried but true" algorithm, > like the 48 bit linear congruential algorithm, with a polynomial > preterbation based on the current time at the time of reseeding, > until the random ducks get (not) in a row? Pseudorandom seeding > with a hidden key has got to be better than anything that opens > a computation window for as long as your system is down after a > crash... after all, we _are_ talking about security through > obscurity (of the next number in a pseudorandom sequence), here. Yarrow not good enough for you? Why not? What cryptanalysis of it are you aware of that leads to a compromise? Where is your rebuttal of Schneier's "Attacking PRNG's" paper? > Nothing wrong with finding a handy giant, and standing on its > shoulders... it's a time honored scientific tradition. And I didn't do this how....? > I'm not really volunteering here, since I'm just an applied > mathematician, and only ever got off on theory as it applied > to real problems in physics and computer science and elsewhere. > I just know enough to know that it'd be dangerous to trust me to > do the job 100% correctly. 8-). But I also see this as getting > more important as /dev/random gets more and more central to > security and authentication policy and enforcement. Isn't theory wonderful? M -- Mark Murray Join the anti-SPAM movement: http://www.cauce.org To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-current" in the body of the message