On Sun, Jul 24, 2005 at 04:06:02PM +0200, Poul-Henning Kamp wrote: +> In message <20050724135738.GM46538@darkness.comp.waw.pl>, Pawel Jakub Dawidek writes: +> +> >We should probably test entropy quality on boot. +> >I've somewhere userland version of /sys/dev/rndtest/ which implements +> >FIPS140-2 tests for (P)RNGs. We can use put it into rc.d/ and warn users. +> +> We also need to put code into exec(2) to verify that the binary we're about +> to execute does not suffer from Turings halting problem (ie: contains no +> endless loops) +> +> We might as well inspect for buffer overflows at the same time. +> +> Anyway, back in this universe: We should not stick a lot of stuff into +> our boot-time scripts, they are slow enough already. I think such a tool will be still useful (even if not turned on by default), so one can turn it on when thinks it's needed: - on production machines, - on first start of rc.d/sshd (when you host keys are generated), - when you need to check if PRNG is the thing which makes your fortune not to work properly (or instrument the user how to do it easly). etc. We (FreeBSD) did a lot of work to have really good PRNG, so its sucks when it just doesn't work. PS. CCing freebsd-security@. -- Pawel Jakub Dawidek http://www.wheel.pl pjd@FreeBSD.org http://www.FreeBSD.org FreeBSD committer Am I Evil? Yes, I Am! -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 187 bytes Desc: not available Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20050724/0fa6668f/attachment.bin
Pawel Jakub Dawidek wrote:> On Sun, Jul 24, 2005 at 04:06:02PM +0200, Poul-Henning Kamp wrote: > +> In message <20050724135738.GM46538@darkness.comp.waw.pl>, Pawel Jakub Dawidek writes: > +> >We should probably test entropy quality on boot. > +> >I've somewhere userland version of /sys/dev/rndtest/ which implements > +> >FIPS140-2 tests for (P)RNGs. We can use put it into rc.d/ and warn users. > +> > +> Anyway, back in this universe: We should not stick a lot of stuff into > +> our boot-time scripts, they are slow enough already. > > I think such a tool will be still useful (even if not turned on by default), > so one can turn it on when thinks it's needed: > - on production machines, > - on first start of rc.d/sshd (when you host keys are generated), > - when you need to check if PRNG is the thing which makes your fortune > not to work properly (or instrument the user how to do it easly).I think this would be more dangerous than valuable. "Most" failure modes of modern PRNGs will result in output which is cryptographically predictable but passes all known statistical tests. (To take a trivial example, the sequence MD5(0), MD5(1), MD5(2) ... looks random, but obviously isn't.) If we want to determine if the PRNG has been seeded properly, we should be querying the kernel, not trying to distinguish between "random" and "non-random" just based on its output. Colin Percival