[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: regarding the changes to kernel entropy gathering
> Date: Tue, 06 Apr 2021 07:55:54 -0400
> From: Greg Troxel <gdt%lexort.com@localhost>
> Thor Lancelot Simon <tls%panix.com@localhost> writes:
> > shuts down, again all entropy samples that have been added (which, again,
> > are accumulating in the per-cpu pools) are propagated to the global pool;
> > all the stream RNGs rekey themselves again; then the seed is extracted.
> It seems obvious to me that "extracting" the seed should be done in such
> a way that the state of the internal rng is still unpredictable from the
> saved seed, even if the state of the newly-booted rng will be
> predictable. Perhaps by pulling 256 bytes from urandom, perhaps by
> something more direct and then some sort of hash/rekey to get back
> traffic protection.
> Probably this is already done in a way much better thought out than my
> 30s reaction, the man page doesn't really say this, at least that I
> could follow; rndctl -S says "save entropy pool".
`rndctl -L' follows the procedure outlined in
Niels Ferguson, Bruce Schneier, and Tadayoshi Kohno,
_Cryptography Engineering_, Wiley, 2010, Sec. 9.6.2 `Update
Seed File', p. 156
to safely update the seed file. The procedure is roughly:
1. Load the old seed.
2. Feed the old seed into the kernel.
3. Generate and write a new seed.
4. Erase the old seed if we can.
Some details specific to NetBSD:
- The new seed file is derived by hashing the old seed file together
with output from /dev/urandom, after consolidating entropy in the
- The new seed file is written and fsync'd, and then moved into place
with rename(), and then the old seed file is zero'd and fsync'd
This would be a lot of detail to put in the man page. But I did add a
note that the file doesn't disclose past secrets -- does that help?
Main Index |
Thread Index |