RE: /dev/random in 2.4.6

David Schwartz (davids@webmaster.com)
Fri, 17 Aug 2001 15:05:39 -0700


> That's not the only attack, actually. The much simpler attack pathis
> for an attack to **observe** the network traffic to such a precise
> extent as to be able to guess what the entropy numbers are that are
> going into the pool. (Think: FBI's Carnivore).
>
> The one saving grace here is that in order to really do this well, the
> attacker would need to be sitting on the local area network to get the
> best and most precise timing numbers. You can argue that this is
> still a theoretical attack; but it's not quite so difficult as saying
> that the attacker has to "control" the network traffic.
>
> - Ted

This is a non-issue providing the entropy pool code correctly estimates the
amount of entropy. The Linux entropy code is written so that there is no
harm from putting fully known or partially known numbers into the pool
provided that the pool does not overestimate the amount of entropy in those
numbers.

Even if you could perfectly time the packets on the LAN, you still could
not tell the clock skew between the clock on the LAN card and the TSC. There
would still be unknowns involving how long it would take for the interrupt
to be acknowledged and the entropy gathering code to get to the CPU. These
unknowns still contain real entropy that there is no known way an attacker
could know.

DS

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/