> Date: Tue, 06 Apr 2021 07:55:54 -0400 > From: Greg Troxel <g...@lexort.com> > > Thor Lancelot Simon <t...@panix.com> writes: > > > shuts down, again all entropy samples that have been added (which, again, > > are accumulating in the per-cpu pools) are propagated to the global pool; > > all the stream RNGs rekey themselves again; then the seed is extracted. > > It seems obvious to me that "extracting" the seed should be done in such > a way that the state of the internal rng is still unpredictable from the > saved seed, even if the state of the newly-booted rng will be > predictable. Perhaps by pulling 256 bytes from urandom, perhaps by > something more direct and then some sort of hash/rekey to get back > traffic protection. > > Probably this is already done in a way much better thought out than my > 30s reaction, the man page doesn't really say this, at least that I > could follow; rndctl -S says "save entropy pool".
`rndctl -L' follows the procedure outlined in Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno, _Cryptography Engineering_, Wiley, 2010, Sec. 9.6.2 `Update Seed File', p. 156 to safely update the seed file. The procedure is roughly: 1. Load the old seed. 2. Feed the old seed into the kernel. 3. Generate and write a new seed. 4. Erase the old seed if we can. Some details specific to NetBSD: - The new seed file is derived by hashing the old seed file together with output from /dev/urandom, after consolidating entropy in the per-CPU pools. - The new seed file is written and fsync'd, and then moved into place with rename(), and then the old seed file is zero'd and fsync'd in-place. This would be a lot of detail to put in the man page. But I did add a note that the file doesn't disclose past secrets -- does that help?