RNG: is it possible to spoil /dev/random by seeding it from (evil) TRNGs (was: howto secure older keys after the recent attacks)

Christoph Anton Mitterer christoph.anton.mitterer at physik.uni-muenchen.de
Tue Oct 9 00:20:40 CEST 2012

Hi David.

Long time ago, the following[0] ;)

I recently stumbled across that question again,... when I deployed
haveged on our faculty's HPC cluster...
So I've asked[1] around at lkml, whether a malicious (or just bad)
entropy source could spoil the kernel's RNG.

Ted Ts'o, who currently maintains that part said (see the thread) he
wouldn't know any way how that could be done, but...

On Thu, 2009-09-10 at 22:35 -0400, David Shaw wrote:
> > 3) One problem with such devices is,.. that one can never know (well  
> > at
> > least normal folks like me) how good they actually are.
> > If this company would be evil (subsidiary of NSA or so) they could  
> > just
> > sell bad devices that produce poor entropy thus rendering our  
> > (symmetric
> > and asymmetric) keys, signatures etc. "useless". Right?
> Not completely useless given the Linux random design, but certainly an  
> evil source of entropy would be a serious problem.  Do you have any  
> reason to believe this device is evil?  There are many random number  
> generators on the market.  Knowing which ones are evil would be handy ;)
... your reply seems to somehow imply that it could...

So he (and I) wondered for the reasons :)

Thanks a lot,

[1] http://lkml.org/lkml/2012/10/4/210

More information about the Gnupg-users mailing list