Re: gpg can't get random/entropy

To: Julio Merino <jmmv%NetBSD.org@localhost>
Subject: Re: gpg can't get random/entropy
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Tue, 15 May 2012 10:49:56 -0400

On Tue, May 15, 2012 at 09:57:58AM -0400, Julio Merino wrote:
> 
> Out of curiosity: why are networking drivers disabled by default?  Is
> it because an attacker could generate traffic to the machine on
> purpose and somehow predict the gathered entropy?

Yes -- you don't want to get into the situation in which the only, or
almost the only, source of entropy is visible to the attacker.  It makes
iterative guessing attacks easier.

Also, taking timings in some network drivers can have a major negative
impact on performance.

Carrying over entropy across boot, as we do now by default, and mixing in
more sources of information (environmental information and timings from
the VM system being two examples) are meant to help with this problem.
I am guessing your system isn't getting much if any entropy from those,
and that the entropy pool's always depleted by shutdown time, so you don't
carry much across boot either?

On such a system, if you're ever mixing in any real entropy at all, the
best you can do, if you must generate keys, may be to replace /dev/random
with a symlink to /dev/urandom.

Thor

Follow-Ups:
- Re: gpg can't get random/entropy
  - From: Jukka Ruohonen

References:
- gpg can't get random/entropy
  - From: Paul Goyette
- Re: gpg can't get random/entropy
  - From: Thor Lancelot Simon
- Re: gpg can't get random/entropy
  - From: Julio Merino
- Re: gpg can't get random/entropy
  - From: matthew sporleder
- Re: gpg can't get random/entropy
  - From: Julio Merino

Prev by Date: Re: gpg can't get random/entropy
Next by Date: Re: gpg can't get random/entropy
Previous by Thread: Re: gpg can't get random/entropy
Next by Thread: Re: gpg can't get random/entropy
Indexes:

Home | Main Index | Thread Index | Old Index