Re: [Tails-dev] How to seed urandom (or not)?

Delete this message

Reply to this message
Autor: coderman
Data:  
A: The Tails public development discussion list
CC: David Goulet
Assumpte: Re: [Tails-dev] How to seed urandom (or not)?
On Sat, Aug 2, 2014 at 11:46 AM, Jacob Appelbaum <jacob@???> wrote:
>
> I'm not really convinced. An attacker who attacks the RNG is going to
> find all of the plausable public seeds. This is what brl did with
> exegesis to attack the Debian RNG bug:


yes, the difference is that different seeds require a different search
space - similar to salting a hash.

the salt does not prevent dictionary attacks, but it does prevent
relatively cheaper dictionary attacks.



> In talking with Tanja Lange, she points me to this OpenSSL-fixed table:
>
> http://www.projectbullrun.org/dual-ec/performance.html
>
> The clock is not a very good entropy source, as expected.


this is why the only "true fix" is a robust hardware entropy source
with access to raw samples (not obscured DRBG output like
RDRAND/RDSEED)