On 01/12/12 18:43, g....@free.fr wrote:
----- Mail original -----
De: "Roman Yeryomin"<leroi.li...@gmail.com>
À: "OpenWrt Development List"<openwrt-devel@lists.openwrt.org>
Envoyé: Jeudi 12 Janvier 2012 16:52:36
Objet: Re: [OpenWrt-Devel] [PATCH] Haveged entropy gathering daemon - Package
If I remember correctly there were some security reasons of removing
it from the kernel.
There is 2 reasons:
First, network could be sniffed and one could use that knowledge to know what
have been added to the entropy pool at which exact time. Very hard to do and
much much harder when there is multiple networks as usually you are not able to
sniff all networks at the same time.
Secondly, dev/random content is supposed to count only first class entropy for
crypto purpose, so if you add content that is not of the first class quality,
you lie on the size of available entropy.
I think the real reason is that mostly programmers are paid to make big server
work in a secure way.
If a server has only one network card active and that card feed the entropy
pool, that would be bad for security if able to sniff that network. So from an
audit point of view, it is better to remove an uncertain entropy source.
Secondly, big server this day have hardware noise generator to feed the entropy
pool.
Although I've done this on ramips platform and didn't face any issues
I think that, potentially, a better source or entropy would be radio
noise. Of cause if it's possible to get.
As network traffic from cable, radio noise could be sniffed, on the radio case
even without physical access.
So that may not be better, maybe even worst.
Sure you can sniff noise, but you won't see the same noise as a sniffer
than as a receiver using it for entropy anyway due to the nature of the
physical medium.
--
Florian
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
