Re: /dev/random is probably not

To: "Charles M. Hannum" <mycroft@xxxxxxxxxx>
Subject: Re: /dev/random is probably not
From: Thomas Wana <thomas@xxxxxxx>
Date: Sat, 02 Jul 2005 16:08:13 +0200
Cc: bugtraq@xxxxxxxxxxxxxxxxx
In-reply-to: <200507011710.35815.mycroft@xxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <200507011710.35815.mycroft@xxxxxxxxxx>
User-agent: Mozilla Thunderbird 1.0.2 (Windows/20050317)

Charles M. Hannum wrote:

Most implementations of /dev/random (or so-called "entropy gathering daemons")rely on disk I/O timings as a primary source of randomness. This is based ona CRYPTO '94 paper[1] that analyzed randomness from air turbulence inside thedrive case.


At least on Linux, the entropy pool is not only filled with data
from I/O timings, but also from networking I/O, user input events,
etc etc.[1]

Which specific implementations do you mean with "most implementations"?

Tom

[1] man 4 random

I was recently introduced to Don Davis and, being the sort of person whorethinks everything, I began to question the correctness of this methodology.While I have found no fault with the original analysis (and have not actuallyconsidered it much), I have found three major problems with the way it isimplemented in current systems. I have not written exploits for theseproblems, but I believe it is readily apparent that such exploits could bewritten.
a) Most modern IDE drives, at least, ship with write-behind caching enabled.This means that a typical write returns a successful status after the data iswritten into the drive's buffer, before the drive even begins the process ofwriting the data to the medium. Therefore, if we do not overflow the bufferand get stuck waiting for previous data to be flushed, the timing will notinclude any air turbulence whatsoever, and should have nearly constant time.
b) At least one implementation uses *all* "disk" type devices -- includingflash devices, which we expect to have nearly constant time -- for timing.This is obviously a bogus source of entropy.
c) Even if we turned off write-behind caching, and so our timings did includeair turbulence, consider how a typical application is written. It waits for,say, a read() to complete and then immediately does something else. Bytiming how long this higher-level operation (read(), or possibly even aremote request via HTTP, SMTP, etc.) takes, we can apply an adjustment factorand determine with a reasonable probability how long the actual disk I/Otook.
Using any of these strategies, it is possible for us to know the input data tothe RNG -- either by measurement or by stuffing -- and, therefore, quitepossibly determine the future output of the RNG.
Have a nice holiday weekend.
[1] D. Davis, R. Ihaka, P.R. Fenstermacher, "Cryptographic Randomness from AirTurbulence in Disk Drives", in Advances in Cryptology -- CRYPTO '94Conference Proceedings, edited by Yvo G. Desmedt, pp.114--120. Lecture Notesin Computer Science #839. Heidelberg: Springer-Verlag, 1994.

Follow-Ups:
- Re: /dev/random is probably not
  - From: McLain Causey

References:
- /dev/random is probably not
  - From: Charles M. Hannum

Prev by Date: UnixWare 7.1.4 : Mozilla updated to 1.7.8 fixes security issues
Next by Date: Advisory 05/2005: Cacti Authentification/Addslashes Bypass Vulnerability
Previous by thread: /dev/random is probably not
Next by thread: Re: /dev/random is probably not
Index(es):
- Date
- Thread