paul at clubi.ie wrote:
> Not to be cranky, but the subject line was slightly deceptive - fixed. ;)
>> Amazing tale though. There's just so much to marvel at here.. E.g. is
> anyone else bothered by the apparent strong dependence of the OpenSSL
> PRNG on uninitialised memory for entropy (since when does
> "uninitialised" == "random")?
>> The blame game at:
>>http://www.links.org/?p=327>> is fascinating.
>> regards,
If you reboot without power off the memory may have original contents
If POST does some kind of memory test the memory may not be random
Depending on design of memory, the initial state after power on may not
be random. Actually it may never be random if enough is known of HW design.
If it is cold and power is only off a short while, the memory is
preserved. This has been used to demonstrate reboot from USB stick and
finding passwords etc still in memory from last session.
(all bets on security are always off if you have physical local access).
It does seem indeed that two mistakes where made.
1) A stupid design by OpenSSL
2) A inept bug fix by Debian.
The only 100% way I know to get a really random number in a PC is a
3.3V zener diode (white noise generator) read by a 50 cent PIC A/D
converter then read via USB or I2C by the OS, or whatever other A/D
converter may be available. I use a zener for filter and frequency
response testing from 10Hz to 2GHz. A zener feeding a wideband amplifier
with a BNC socket. .
--
Mike
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
