Re: valgrind and openssl

Mon, 19 May 2008 00:31:56 -0700 

It doesn't matter. If you only have one bit of real entropy you are screwed
- no matter whether 0 or a 10^15 bits of known data are introduced, and if
it's 10^15 bits of data the attacker can't reliably guess, you are
definitely better off.

And, to put this in perspective, given that the uninitialized memory
contents are likely unknowable off the machine - if Debian had screwed up
just a little more - and left the uninitialized memory as a source, but
taken out the real entropy source, (instead of taking out both), would
Debian users be in better or worse shape now ?.


Peter



                                                                                
                                       
  From:       Thor Lancelot Simon <[EMAIL PROTECTED]>                           
                                        
                                                                                
                                       
  To:         openssl-dev@openssl.org                                           
                                       
                                                                                
                                       
  Date:       05/19/2008 05:24 PM                                               
                                       
                                                                                
                                       
  Subject:    Re: valgrind and openssl                                          
                                       
                                                                                
                                       





On Fri, May 16, 2008 at 11:24:45AM -0400, Geoff Thorpe wrote:
> On Friday 16 May 2008 00:47:52 Thor Lancelot Simon wrote:
> > On Thu, May 15, 2008 at 11:45:14PM +0200, Bodo Moeller wrote:
> > > It may be zero, but it may be more, depending on what happened
earlier
> > > in the program if the same memory locations have been in use before.
> > > This may very well include data that would be unpredictable to
> > > adversaries -- i.e., entropy; that's the point here.
> >
> > Unfortunately, it may also very well include data that would be
> > highly predictable to adversaries.
>
> If feeding predictable data into a PRNG that was already well seeded with

> unpredictable data produced a weaker PRNG, then you have found a security
bug
> in the PRNG and I suggest you publish.

Yeah, I've heard that a few times.  However, consider the pathological
case,
in which an adversary manages to introduce N-1 bits of known state into
your
PRNG which has N bits of internal state.  Are you comfortable with that?
For
what value M are you comfortable with N - M bits of the state having been
introduced by the adversary?  Why?

It seems to me that best practice is to not introduce such state if one
can avoid it, whether one counts it into an entropy estimate or not.

Thor
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]



______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       openssl-dev@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to