From: “Theodore Ts’o” <tytso@MIT.EDU>
To: Mark Murray <mark@grondar.za>
Message Hash: 0845d30c258ef42bdbe4fc34f521c30e602c6fe1181dcf44de6eeb4378525559
Message ID: <9510302119.AA24959@dcl.MIT.EDU>
Reply To: <199510301925.VAA27116@grumble.grondar.za>
UTC Datetime: 1995-10-30 23:10:10 UTC
Raw Date: Tue, 31 Oct 1995 07:10:10 +0800
From: "Theodore Ts'o" <tytso@MIT.EDU>
Date: Tue, 31 Oct 1995 07:10:10 +0800
To: Mark Murray <mark@grondar.za>
Subject: Re: /dev/random for FreeBSD [was: Re: /dev/random for Linux]
In-Reply-To: <199510301925.VAA27116@grumble.grondar.za>
Message-ID: <9510302119.AA24959@dcl.MIT.EDU>
MIME-Version: 1.0
Content-Type: text/plain
Date: Mon, 30 Oct 1995 21:25:50 +0200
From: Mark Murray <mark@grondar.za>
Version 0.92 21st Sept 1995.
Yup, there's a more recent version in the Linux tree at this point.
Something I didn't mention earlier; we felt that letting the unwashed
masses read /dev/*random was not a good idea, as they could deplete
the pool of entropy all to easily for attack purposes.
That should be a system administration issue. If someone wants to make
/dev/random readable only by root at their site, that's their business.
I don't see any point in trying to enforce that in the kernel code.
I don't agree that restricting read access is useful. First of all, if
the pool of entropy is depleted, someone who tries to obtain entropy by
reading /dev/random will know that they didn't get enough entropy. So
assuming a program that actually checks return values from system calls,
this is at worse a denial of service attack, and there are much easier
ways of performing those srots of attacks: "while (1) fork()", for
example.
Secondly, making /dev/random only readable by "privileged programs"
means that people won't be able to compile their own version of PGP that
can take advantage of the random number generator. Instead, they would
have to use a setuid version of PGP, and I'm quite sure PGP wasn't
written such that it would be safe to turn on its setuid bit.
Finally, even if you did have trustworthy applications which you could
setuid and only allow those programs to have access to /dev/random,
someone who repeatedly ran those applications could still end up
depleteing the pool of entropy.
So in the general case I would advise that /dev/random be left world
readable, since you *do* want general user programs to have access to
high quality random numbers.
For the same (or similar) reason, giving the said unwashed masses
_write_ privelige might allow them to set /dev/*random to a known
state. You've probably already thought of this, but I just had to say
it :-).
Again, /dev/random can be set to whatever permissions the system
administrator wants. Secondly, writing to /dev/random merely adds
randomness to the pool, via the mixing algorithm. It won't actually
permit people to *set* the state of the pool, and assuming that the
state of the pool is not known before the write operation, writing to it
won't allow the user to know what the state is after the write
operation.
The ioctl() which sets the entropy estimate, however, *does* need to be
runnable only by the superuser, however, since that does represent an
attack path.
And, for race condition reasons, something which I need to implement
soon is an ioctl(), usuable only by root, that simultaneously updates
the entropy estimate *and* submits data to be mixed into the pool. (Why
this is necessary should be obvious after a few minutes thought.)
> For example, although it
> may not be obvious, the network interrupt may not be a good choice,
> since an adversary who is monitoring the ethernet cable can make a
> pretty good guess about the timing of your network interrupts, and hence
> what the likely inputs are to the random number pool might be.
Are you sure about this? The stochastisity if this would be pretty
hefty. Not only would our attacker have to get the _time_ that the
interrupt occurred (if it interrupted our machine), he would then have
to process in brute-force mode all possible times in his error range.
What is more, more interrupts are coming in...
I didn't say that it would be trivial for an attacker to do this, but
it's certainly *doable*. Some of the network traffic analyzers that
have been made available (I think Sandia National Labs has one that does
this), records down to millisecond accuracy when a packet was sniffed on
the network.
For this reason, people shouldn't really trust initializing PGP's random
number generator over a network connection, since it is possible for an
adversary to obtain very high quality timings of when your telnet or
rlogin packets appeared on the network, and hence be able to guess
(within some error range) what the interkeyboard timings which PGP used
to initialize its random number generator.
The adversary might have to try a large number of possibilities, but if
the number of possibilities is less than a brute-force search, you
definitely have a weakness --- a fact which Netscape learned to its
embarassment a few weeks ago.
Hokay! Please also send me _your_ latest. (BTW - did Linus put it in
his latest kernel?)
Yup. 1.1.34 and higher has most of my changes. (I'm still making
changes which are still in development, though. Mostly incremental
improvements of one sort or another.)
- Ted
Return to October 1995
Return to ““Theodore Ts’o” <tytso@MIT.EDU>”