Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: Full Disclosure: Full-Disclosure

Re: DakaRand

  

 
Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded


dan at doxpara

Aug 19, 2012, 9:42 AM

Post #1 of 16 (378 views)
Permalink
Re: DakaRand
>
> Lots of people are using "haveged" already, it operates on a similar
> principle.
>
> http://www.issihosts.com/haveged/
>
> Ciao, Marcus
>

Oh yes, there's been code floating around for years that uses timing drift
-- but it's never anything that, say, gets integrated into kernels or
distros or even embedded frameworks. Compared to the number of nodes out
there, it's certainly not "lots" of people using haveged. There's just
been a lot of fear and nervousness around clock drift approaches, and
indeed, entropy gathering has gotten *worse* (via abandonment of
interrupts), not better.

Hopefully we can finally put all that -- not to bed -- but to the test.
Lets find out if clock drift works after all.

--Dan


ben at links

Aug 19, 2012, 10:13 AM

Post #2 of 16 (371 views)
Permalink
Re: DakaRand [In reply to]
On Sun, Aug 19, 2012 at 5:42 PM, Dan Kaminsky <dan [at] doxpara> wrote:
> entropy gathering has gotten *worse* (via abandonment of interrupts), not
> better.

Entropy gathering in _one particular OS_. Credit where its due, please.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


noloader at gmail

Aug 19, 2012, 10:22 AM

Post #3 of 16 (362 views)
Permalink
Re: DakaRand [In reply to]
On Sun, Aug 19, 2012 at 1:13 PM, Ben Laurie <ben [at] links> wrote:
> On Sun, Aug 19, 2012 at 5:42 PM, Dan Kaminsky <dan [at] doxpara> wrote:
>> entropy gathering has gotten *worse* (via abandonment of interrupts), not
>> better.
>
> Entropy gathering in _one particular OS_. Credit where its due, please.
:)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


dan at doxpara

Aug 19, 2012, 1:28 PM

Post #4 of 16 (358 views)
Permalink
Re: DakaRand [In reply to]
On Sun, Aug 19, 2012 at 10:13 AM, Ben Laurie <ben [at] links> wrote:

> On Sun, Aug 19, 2012 at 5:42 PM, Dan Kaminsky <dan [at] doxpara> wrote:
> > entropy gathering has gotten *worse* (via abandonment of interrupts), not
> > better.
>
> Entropy gathering in _one particular OS_. Credit where its due, please.
>

My understanding is that bad keys were detected on more than just Linux,
which implies starvation on everything on everything not out of Redmond.

What interesting approaches are you aware of that deserve credit? Not a
rhetorical question, I'm genuinely curious.

--Dan


ben at links

Aug 19, 2012, 3:03 PM

Post #5 of 16 (357 views)
Permalink
Re: DakaRand [In reply to]
On Sun, Aug 19, 2012 at 9:28 PM, Dan Kaminsky <dan [at] doxpara> wrote:
>
> On Sun, Aug 19, 2012 at 10:13 AM, Ben Laurie <ben [at] links> wrote:
>>
>> On Sun, Aug 19, 2012 at 5:42 PM, Dan Kaminsky <dan [at] doxpara> wrote:
>> > entropy gathering has gotten *worse* (via abandonment of interrupts),
>> > not
>> > better.
>>
>> Entropy gathering in _one particular OS_. Credit where its due, please.
>
>
> My understanding is that bad keys were detected on more than just Linux,
> which implies starvation on everything on everything not out of Redmond.
>
> What interesting approaches are you aware of that deserve credit? Not a
> rhetorical question, I'm genuinely curious.

I was referring to the abandonment of interrupts in Linux. You think
that other OSes have got worse at entropy gathering? And when did
"more than Linux" start implying "not Windows"?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


dan at doxpara

Aug 19, 2012, 3:12 PM

Post #6 of 16 (359 views)
Permalink
Re: DakaRand [In reply to]
On Sun, Aug 19, 2012 at 3:03 PM, Ben Laurie <ben [at] links> wrote:

> On Sun, Aug 19, 2012 at 9:28 PM, Dan Kaminsky <dan [at] doxpara> wrote:
> >
> > On Sun, Aug 19, 2012 at 10:13 AM, Ben Laurie <ben [at] links> wrote:
> >>
> >> On Sun, Aug 19, 2012 at 5:42 PM, Dan Kaminsky <dan [at] doxpara> wrote:
> >> > entropy gathering has gotten *worse* (via abandonment of interrupts),
> >> > not
> >> > better.
> >>
> >> Entropy gathering in _one particular OS_. Credit where its due, please.
> >
> >
> > My understanding is that bad keys were detected on more than just Linux,
> > which implies starvation on everything on everything not out of Redmond.
> >
> > What interesting approaches are you aware of that deserve credit? Not a
> > rhetorical question, I'm genuinely curious.
>
> I was referring to the abandonment of interrupts in Linux. You think
> that other OSes have got worse at entropy gathering? And when did
> "more than Linux" start implying "not Windows"?
>

My assumption is that the other Unixes weren't looking at interrupt timing
to begin with, i.e. they've always been as starved for entropy as Linux
eventually became. That being said, does VXWorks even *have* an OS
provided strong random number generator?

Windows has CryptGenRandom, which AFAIK doesn't block, and survives
everything but VM suspend/restore.

--Dan


noloader at gmail

Aug 19, 2012, 3:51 PM

Post #7 of 16 (356 views)
Permalink
Re: DakaRand [In reply to]
On Sun, Aug 19, 2012 at 6:12 PM, Dan Kaminsky <dan [at] doxpara> wrote:
>
>
> On Sun, Aug 19, 2012 at 3:03 PM, Ben Laurie <ben [at] links> wrote:
>>
>> On Sun, Aug 19, 2012 at 9:28 PM, Dan Kaminsky <dan [at] doxpara> wrote:
>> >
>> > On Sun, Aug 19, 2012 at 10:13 AM, Ben Laurie <ben [at] links> wrote:
>> >>
>> >> On Sun, Aug 19, 2012 at 5:42 PM, Dan Kaminsky <dan [at] doxpara> wrote:
>> >> > entropy gathering has gotten *worse* (via abandonment of interrupts),
>> >> > not
>> >> > better.
>> >>
>> >> Entropy gathering in _one particular OS_. Credit where its due, please.
>> >
>> >
>> > My understanding is that bad keys were detected on more than just Linux,
>> > which implies starvation on everything on everything not out of Redmond.
>> >
>> > What interesting approaches are you aware of that deserve credit? Not a
>> > rhetorical question, I'm genuinely curious.
>>
>> I was referring to the abandonment of interrupts in Linux. You think
>> that other OSes have got worse at entropy gathering? And when did
>> "more than Linux" start implying "not Windows"?
>
>
> My assumption is that the other Unixes weren't looking at interrupt timing
> to begin with, i.e. they've always been as starved for entropy as Linux
> eventually became. That being said, does VXWorks even *have* an OS provided
> strong random number generator?
>
> Windows has CryptGenRandom, which AFAIK doesn't block, and survives
> everything but VM suspend/restore.

A bit dated:
* Analysis of the Linux Random Number Generator, eprint.iacr.org/2006/086.pdf
* Cryptanalysis of the Random Number Generator of the Windows
Operating System, eprint.iacr.org/2007/419.pdf

Most recent analysis of Linux RNG (AFAIK):
* Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network
Devices, https://factorable.net/paper.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


ben at links

Aug 20, 2012, 2:16 AM

Post #8 of 16 (346 views)
Permalink
Re: DakaRand [In reply to]
On Sun, Aug 19, 2012 at 11:12 PM, Dan Kaminsky <dan [at] doxpara> wrote:
>
>
> On Sun, Aug 19, 2012 at 3:03 PM, Ben Laurie <ben [at] links> wrote:
>>
>> On Sun, Aug 19, 2012 at 9:28 PM, Dan Kaminsky <dan [at] doxpara> wrote:
>> >
>> > On Sun, Aug 19, 2012 at 10:13 AM, Ben Laurie <ben [at] links> wrote:
>> >>
>> >> On Sun, Aug 19, 2012 at 5:42 PM, Dan Kaminsky <dan [at] doxpara> wrote:
>> >> > entropy gathering has gotten *worse* (via abandonment of interrupts),
>> >> > not
>> >> > better.
>> >>
>> >> Entropy gathering in _one particular OS_. Credit where its due, please.
>> >
>> >
>> > My understanding is that bad keys were detected on more than just Linux,
>> > which implies starvation on everything on everything not out of Redmond.
>> >
>> > What interesting approaches are you aware of that deserve credit? Not a
>> > rhetorical question, I'm genuinely curious.
>>
>> I was referring to the abandonment of interrupts in Linux. You think
>> that other OSes have got worse at entropy gathering? And when did
>> "more than Linux" start implying "not Windows"?
>
>
> My assumption is that the other Unixes weren't looking at interrupt timing
> to begin with, i.e. they've always been as starved for entropy as Linux
> eventually became.

Well, you know what they say about assumptions.

> That being said, does VXWorks even *have* an OS provided
> strong random number generator?

Don't know, don't care.

> Windows has CryptGenRandom, which AFAIK doesn't block, and survives
> everything but VM suspend/restore.

FreeBSD also doesn't block.

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


dan at doxpara

Aug 20, 2012, 2:22 AM

Post #9 of 16 (345 views)
Permalink
Re: DakaRand [In reply to]
>
> > My assumption is that the other Unixes weren't looking at interrupt
> timing
> > to begin with, i.e. they've always been as starved for entropy as Linux
> > eventually became.
>
> Well, you know what they say about assumptions.
>

Smart people will come around and help correct them? :)


>
> > That being said, does VXWorks even *have* an OS provided
> > strong random number generator?
>
> Don't know, don't care.
>

Why not? It carries your data.


>
> > Windows has CryptGenRandom, which AFAIK doesn't block, and survives
> > everything but VM suspend/restore.
>
> FreeBSD also doesn't block.
>

May I ask what FreeBSD's entropy sources are?


ben at links

Aug 20, 2012, 2:54 AM

Post #10 of 16 (351 views)
Permalink
Re: DakaRand [In reply to]
On Mon, Aug 20, 2012 at 10:22 AM, Dan Kaminsky <dan [at] doxpara> wrote:
>> > My assumption is that the other Unixes weren't looking at interrupt
>> > timing
>> > to begin with, i.e. they've always been as starved for entropy as Linux
>> > eventually became.
>>
>> Well, you know what they say about assumptions.
>
>
> Smart people will come around and help correct them? :)
>
>>
>>
>> > That being said, does VXWorks even *have* an OS provided
>> > strong random number generator?
>>
>> Don't know, don't care.
>
>
> Why not? It carries your data.

Routers should not need strong randomness, at least the way the 'net
works now, to carry my data...

>> > Windows has CryptGenRandom, which AFAIK doesn't block, and survives
>> > everything but VM suspend/restore.
>>
>> FreeBSD also doesn't block.
>
>
> May I ask what FreeBSD's entropy sources are?

It depends - device drivers can add entropy. It does include interrupt
stuff, but not, by the looks of it, timing information, so I await the
results of your experiments with interest (note, btw, I didn't have
much to do with FreeBSD's /dev/random).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


pschmehl_lists at tx

Aug 20, 2012, 8:29 AM

Post #11 of 16 (344 views)
Permalink
Re: DakaRand [In reply to]
--On August 20, 2012 2:22:28 AM -0700 Dan Kaminsky <dan [at] doxpara> wrote:
>
> May I ask what FreeBSD's entropy sources are?

I'm surprised you don't already know. From device noise.

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


dan at doxpara

Aug 20, 2012, 8:32 AM

Post #12 of 16 (341 views)
Permalink
Re: DakaRand [In reply to]
On Mon, Aug 20, 2012 at 8:29 AM, Paul Schmehl <pschmehl_lists [at] tx>wrote:

> --On August 20, 2012 2:22:28 AM -0700 Dan Kaminsky <dan [at] doxpara>
> wrote:
>
>>
>> May I ask what FreeBSD's entropy sources are?
>>
>
> I'm surprised you don't already know. From device noise.


Which class? There are many sorts of said noise (most of which I believe
actually work).


giles at coochey

Aug 20, 2012, 8:47 AM

Post #13 of 16 (343 views)
Permalink
Re: DakaRand [In reply to]
On 20/08/2012 16:32, Dan Kaminsky wrote:
>
>
> On Mon, Aug 20, 2012 at 8:29 AM, Paul Schmehl
> <pschmehl_lists [at] tx <mailto:pschmehl_lists [at] tx>> wrote:
>
> --On August 20, 2012 2:22:28 AM -0700 Dan Kaminsky
> <dan [at] doxpara <mailto:dan [at] doxpara>> wrote:
>
>
> May I ask what FreeBSD's entropy sources are?
>
>
> I'm surprised you don't already know. From device noise.
>
>
> Which class? There are many sorts of said noise (most of which I
> believe actually work).
>
>
Not in answer to your questions, and not specific to FreeBSD, but the
following book "Silence on the Wire" provides a good discussion in the
weaknesses of systems lacking in entropy.

http://lcamtuf.coredump.cx/silence.shtml#/
Attachments: smime.p7s (4.85 KB)


pschmehl_lists at tx

Aug 20, 2012, 9:29 AM

Post #14 of 16 (345 views)
Permalink
Re: DakaRand [In reply to]
--On August 20, 2012 8:32:59 AM -0700 Dan Kaminsky <dan [at] doxpara> wrote:

>
>
>
> On Mon, Aug 20, 2012 at 8:29 AM, Paul Schmehl <pschmehl_lists [at] tx>
> wrote:
>
>
> --On August 20, 2012 2:22:28 AM -0700 Dan Kaminsky <dan [at] doxpara>
> wrote:
>
>
> May I ask what FreeBSD's entropy sources are?
>
>
> I'm surprised you don't already know.  From device noise.
>
>
>
>
> Which class?  There are many sorts of said noise (most of which I
> believe actually work).
>

The long answer is look at /usr/src/sys/sys/random.h.

The short answer is:
/* Allow the sysadmin to select the broad category of
* entropy types to harvest
*/
struct harvest_select {
int ethernet;
int point_to_point;
int interrupt;
int swi;
};

swi is software interrupt handlers. interrupt is hardware interrupts (e.g.
usb, pci, etc.)

*If* you install a hardware PRNG, FreeBSD will use that instead (by
default).

--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


dan at doxpara

Aug 20, 2012, 9:35 AM

Post #15 of 16 (344 views)
Permalink
Re: DakaRand [In reply to]
On Mon, Aug 20, 2012 at 9:29 AM, Paul Schmehl <pschmehl_lists [at] tx>wrote:

> --On August 20, 2012 8:32:59 AM -0700 Dan Kaminsky <dan [at] doxpara>
> wrote:
>
>
>>
>>
>> On Mon, Aug 20, 2012 at 8:29 AM, Paul Schmehl <pschmehl_lists [at] tx>
>> wrote:
>>
>>
>> --On August 20, 2012 2:22:28 AM -0700 Dan Kaminsky <dan [at] doxpara>
>> wrote:
>>
>>
>> May I ask what FreeBSD's entropy sources are?
>>
>>
>> I'm surprised you don't already know. From device noise.
>>
>>
>>
>>
>> Which class? There are many sorts of said noise (most of which I
>> believe actually work).
>>
>>
> The long answer is look at /usr/src/sys/sys/random.h.
>
> The short answer is:
> /* Allow the sysadmin to select the broad category of
> * entropy types to harvest
> */
> struct harvest_select {
> int ethernet;
> int point_to_point;
> int interrupt;
> int swi;
> };
>
> swi is software interrupt handlers. interrupt is hardware interrupts
> (e.g. usb, pci, etc.)
>

Neat. What's the default, and what does it mine? Count? Nanosecond time?


>
> *If* you install a hardware PRNG, FreeBSD will use that instead (by
> default).


Excellent.

>
>
> --
> Paul Schmehl, Senior Infosec Analyst
> As if it wasn't already obvious, my opinions
> are my own and not those of my employer.
> *********************************************
> "It is as useless to argue with those who have
> renounced the use of reason as to administer
> medication to the dead." Thomas Jefferson
> "There are some ideas so wrong that only a very
> intelligent person could believe in them." George Orwell
>
>


pschmehl_lists at tx

Aug 20, 2012, 11:29 AM

Post #16 of 16 (339 views)
Permalink
Re: DakaRand [In reply to]
--On August 20, 2012 9:35:54 AM -0700 Dan Kaminsky <dan [at] doxpara> wrote:
>
> Neat.  What's the default, and what does it mine?  Count?  Nanosecond
> time?
>

This 2002 USENIX paper explains the process. A Yarrow PRNG is used and the
output is encrypted with the AES Rijndael cipher.

<http://static.usenix.org/events/bsdcon/full_papers/murray/murray_html/>

Sources of entropy are defined in random.h
enum esource { \
RANDOM_WRITE, RANDOM_KEYBOARD, \
RANDOM_MOUSE, RANDOM_NET, \
RANDOM_INTERRUPT, ENTROPYSOURCE \
};
void random_harvest(void *data, \
u_int count, u_int bits, \
u_int frac, enum esource source);

Here's a copy of random.h:

<http://bintree.net/freebsd/d1/d79/random_8h_source.html>


--
Paul Schmehl, Senior Infosec Analyst
As if it wasn't already obvious, my opinions
are my own and not those of my employer.
*******************************************
"It is as useless to argue with those who have
renounced the use of reason as to administer
medication to the dead." Thomas Jefferson
"There are some ideas so wrong that only a very
intelligent person could believe in them." George Orwell

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Full Disclosure full-disclosure RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.