RNG: is it possible to spoil /dev/random by seeding it from (evil) TRNGs (was: howto secure older keys after the recent attacks)
dshaw at jabberwocky.com
Tue Oct 9 18:16:27 CEST 2012
On Oct 8, 2012, at 6:20 PM, Christoph Anton Mitterer <christoph.anton.mitterer at physik.uni-muenchen.de> wrote:
> Hi David.
> Long time ago, the following ;)
> I recently stumbled across that question again,... when I deployed
> haveged on our faculty's HPC cluster...
> So I've asked around at lkml, whether a malicious (or just bad)
> entropy source could spoil the kernel's RNG.
> Ted Ts'o, who currently maintains that part said (see the thread) he
> wouldn't know any way how that could be done, but...
> On Thu, 2009-09-10 at 22:35 -0400, David Shaw wrote:
>>> 3) One problem with such devices is,.. that one can never know (well
>>> least normal folks like me) how good they actually are.
>>> If this company would be evil (subsidiary of NSA or so) they could
>>> sell bad devices that produce poor entropy thus rendering our
>>> and asymmetric) keys, signatures etc. "useless". Right?
>> Not completely useless given the Linux random design, but certainly an
>> evil source of entropy would be a serious problem. Do you have any
>> reason to believe this device is evil? There are many random number
>> generators on the market. Knowing which ones are evil would be handy ;)
> ... your reply seems to somehow imply that it could...
> So he (and I) wondered for the reasons :)
The message is from three years ago, so I'm honestly not sure where I was going with that thought at the time. Most likely, I was thinking about someone using an evil device for entropy directly rather than through a /dev/random that deals with the evil source case.
To be clear: I do not know of some way an evil input can somehow subvert the output of /dev/random on Linux. My understanding was that it was designed to prevent that.
More information about the Gnupg-users