Re: [Tails-dev] How to seed urandom (or not)?

Poista viesti

Vastaa
Lähettäjä: HW42
Päiväys:  
Vastaanottaja: tails-dev
Aihe: Re: [Tails-dev] How to seed urandom (or not)?
Am Mon, 04 Aug 2014 13:30:49 +0000
schrieb Patrick Schleizer <patrick-mailinglists@???>:

> David Goulet:
> > Their big issue is the Ubuntu Cloud Image for which they rely on
> > https://launchpad.net/pollinate, TL;DR; it fetches random bytes over
> > HTTPS to seed /dev/random. (They do pin the certificate in the
> > client which is less crazy :).
> >
> > See:
> > http://blog.dustinkirkland.com/2014/02/random-seeds-in-ubuntu-1404-lts-cloud.html
> >
> > To be honest, I don't have a good way of fixing this issue. Feeding
> > the urandom-seed with the date might be better than nothing but
> > again I think that if a NTP correction occurs before seeding it, an
> > attacker could end up knowing the seed if the NTP server or the
> > link is malicious.
> >
> > Is it crazy to think that Tails could provide a "seeding server"
> > and use pollinate?
>
> I found an interesting comment about pollinate. [1]
>
> > Sooo, let me get this right. Your VM has no good random seed to
> > start
> from. To deal with that you make an HTTPS request to some server on
> the internet. That HTTPS connection requires a session key, which you
> have to generate from your random source that, well..., is not
> well-seeded at that point. Hence all the encryption of that seed is
> pretty much pointless.
>
> Discussion is also interesting. [1]
>
> What do you think? Is the https session key argument a good one
> against pollinate?


At least in the VM/Cloud case it's a very strange/suspicious solution.
I think the hypervisor/cloud-infrastructure should provide a (initial)
randomness source. Since you must fully trust it anyway.

Regarding your question one could argue that it's better than nothing
since you have a single https-handshake so a statistical attack is
probably harder.

But i think for Tails is a central randomness anyway a no-go even if it
would improve the entropy situation.

>
> [1]
> https://plus.google.com/wm/1/+LennartPoetteringTheOneAndOnly/posts/K22yyHRc6hn
>
> Cheers,
> Patrick
> _______________________________________________
> Tails-dev mailing list
> Tails-dev@???
> https://mailman.boum.org/listinfo/tails-dev
> To unsubscribe from this list, send an empty email to
> Tails-dev-unsubscribe@???.