Subject: Re: CVS commit: src/sys/arch
To: Perry E. Metzger <perry@piermont.com>
From: David Laight <david@l8s.co.uk>
List: source-changes
Date: 09/06/2003 20:14:40
On Sat, Sep 06, 2003 at 02:11:12PM -0400, Perry E. Metzger wrote:
> 
> David Laight <david@l8s.co.uk> writes:
> > This WILL explode the install kernels!
> 
> Sadly, it is becoming harder to operate without the high quality rng
> device being present.

This is an orthonogal statement to the inclusion of rnd(8)

> It is being used for more and more things in our kernels.

What you mean, is more things require a random number generator of
cryptographic quality...

> I think Itojun's action is correct.

> We need to find a longer term solution for making our installations
> work than eliminating critical functionality...

Indeed, but I don't think rnd(8) in its current form is the solution.
I've just read the tech-security thread from May 2002, much said in
there is still valid...

AFAICT the RC4 algorithm itself is secure (I've checked some likely places)
given a secure key.
My gut feel is that the SHA based PRNG in rnd(8) is open to certain types of
attack (because it feeds the hash output back into the data to be hashed).

Interestingly, if the code just added in another 512 bytes of non-random
data into the hash, then the new output would be secure!
After all, given the SHA hash it is compuationally infeasible to create
the original data - so it doesn't matter what you add.
This actually means that once the generator has enough entropy, it cannot
actually start generating non-random numbers.

Of course, if you can read /dev/mem you can find the current state.

	David

-- 
David Laight: david@l8s.co.uk