|
|
|
|
| |
| This new paper which is about to appear later this month (May, 2006) on the IEEE security and privacy conference describes holes in Linux's random number generator, as well as a clear description of the Linux /dev/random. |
| |
Credit:
This is a joint work of Zvi Gutterman, Benny Pinkas and Tzachy Reinman to appear in IEEE S&P (Oakland Conference), May 2006.
The paper can be downloaded from: http://www.gutterman.net/publications/GuttermanPinkasReinman2006.pdf
|
| |
The Linux random number generator is part of the kernel of all Linux distributions and is based on generating randomness from entropy of operating system events. The output of this generator is used for almost every security protocol, including TLS/SSL key generation, choosing TCP sequence numbers, and file system and email encryption.
Although the generator is part of an open source project, its source code (about $2500$ lines of code) is poorly documented, and patched with hundreds of code patches.
We used dynamic and static reverse engineering to learn the operation of this generator. This paper presents a description of the underlying algorithms and exposes several security vulnerabilities. In particular, we show an attack on the forward security of the generator which enables an adversary who exposes the state of the generator to compute previous states and outputs. In addition we present a few cryptographic flaws in the design of the generator, as well as measurements of the actual entropy collected by it, and a critical analysis of the use of the generator in Linux distributions on disk-less devices.
Our main results are:
1. Clear description of the Linux /dev/random (Which was far from trivial and very complex).
2. Attack on /dev/random forward security (which is mostly theoretic at the moment because it requires break-in to the computer but is very simple to mount and break an important block in almost any crypt algorithm).
3. Concerning findings about the Linux software engineering process regarding security.
Vendor Status:
The Linux moderator of /dev/random did not answer our attempts at contacting him.
|
|
|
| Subject:
|
Harware generators, for example recent VIA mainboards |
Date: |
16 May 2006 |
| From: |
Richard |
If your system has a hardware random number generator Linux can use it. The kernel certainly recognizes its existence and using one offers speed advantages over the software generator. If you are concerned about security of the generator would it make more sense to use that?
While the document concerned findings about the security of open source engineering, I wouldn't call them too concerning. I see a lot worse in a lot of commercial products, both third party that I have used and in places I have worked where management feel that it is possible to sweep things under the proprietary rug.
Some of the suggested improvements are interesting, and hopefully they can be acted upon. I have more faith of that in the open source world where it can be fitted in, than in the commercial world of tight deadlines and sometimes unfounded fear of breaking dependant code close to a deadline. /dev/random is a relatively small component will a well known public interface, so a good candidate for easy maintenance. You indicate that a lot of patches have recently been applied, so it looks as if /dev/random is being actively maintained. |
|
| Subject:
|
You are partially answered |
Date: |
16 May 2006 |
| From: |
joshudson |
| In particular, the objections raised are relevant on CPUs lacking a TSC instruction. This includes 386/486 processors and some embedded processors (OpenWRT is most at risk here). |
|
|
|
|
|
|
