Re: [Tails-dev] How to seed urandom (or not)?

This message is part of the following thread:
Mthe complete thread tree sorted by date
MPatrick Schleizer at <-
Mcoderman at ->
Delete this message

Reply to this message
Author: Jacob Appelbaum
Date:  
To: The Tails public development discussion list
CC: David Goulet
Subject: Re: [Tails-dev] How to seed urandom (or not)?
On 8/2/14, coderman <coderman@???> wrote:
> On Fri, Aug 1, 2014 at 10:24 AM, Jacob Appelbaum <jacob@???>
> wrote:
>> ...
>> Sure - if we have entropy, we can seed anything. :)
>
> *grin*
>
>
>
>
>> How is that worse? The goal is entropy collectin. A public value is
>> not entropic.
>
> but a public value in addition to other predictable values maybe
> provides an incremental increase in difficulty of attack. (i'll
> provide tech citations later this eve)

I'm not really convinced. An attacker who attacks the RNG is going to
find all of the plausable public seeds. This is what brl did with
exegesis to attack the Debian RNG bug:

https://github.com/brl/exegesis

All public and predictable values are bad news. We need entropy not
predictability. :)

>
>
>> It may make sense to add entropy to the disk at install time from the
>> installing computer.
>
> this would fall into the persistence dependency category, but also
> very much useful!

I'm suggesting that installing on the USB disk would have a non-public
value. Unrelated to persistence, I might add.

>> The date is strictly better than no entropy at all. A date is a very
>> small amount of entropy but probably it is not sufficient.
>
> agreed.

In talking with Tanja Lange, she points me to this OpenSSL-fixed table:

http://www.projectbullrun.org/dual-ec/performance.html

The clock is not a very good entropy source, as expected.

>
>> That does that work? If we have no entropy, we have no entropy.
>
> i'm creating a matix of kernel versions and potential pre-init user
> space seeding avenues available. this will explain it better.
>

Ok.

> odds low, but it could happen.
>

Odds low on creating the matrix? Or..?

>> We need both - we cannot known when one will not function as hardware
>> may change on a per boot basis.
>
> correct; this determination should be at inititialization: can rgnd
> run? if yes, don't launch haveged.

I think we want haveged as well.

>
>
>
>> Could you explain the (unseeded) process for entropy collection in the
>> kernel (3.14-1-amd64) in use on Tails? Assuming no haveged, rngd, etc.
>
> will do.
>

Looking forward to it.

All the best,
Jacob

This message was posted to the following mailing lists:
tails-dev
Mailing List Info | Nearby Messages		<-Re: [Tails-dev] patch submission feature #7512Re: [Tails-dev] Simplifying the UX for I2P [Was: [review'n'merge 1.1.1] I2P boot parameter, firewall rules, etc.]->
lists.autistici.org administrated by postmasterLurker (version 2.3)