On Wed, May 14, 2008 at 10:49 AM, Michael Watterson <watty at eircom.net>
wrote:
> If you reboot without power off the memory may have original contents
> If POST does some kind of memory test the memory may not be random
This is beside the point; when the OS hands a page of RAM off to a process,
it will be all-zeroes; a virtual page until it's written to, and then
physically zeroed where necessary. The buffer added to the entropy pool by
OpenSSL is an uninitialised stack buffer, which will *not* have random
contents; it will have fairly deterministic contents depending on the
previous program path. However, the *same function* is later used to add
other entropic sources to the RNG pool; when the Debian guy commented it
out, the baby got thrown out with the bathwater. FWIW, I don't think it's
as simple as "one of the removed lines was useless, the other was useful",
it is more that they are both useful at times during the program's execution
flow, even though they are also used to read uninitialised data.
Depending on design of memory, the initial state after power on may not be
> random. Actually it may never be random if enough is known of HW design.
... and it certainly won't be random by the time it's read by an ordinary OS
process.
> It does seem indeed that two mistakes where made.
> 1) A stupid design by OpenSSL
Not stupid; it's just an additional source of hard-to-predict data which is
added to the pool by the SSL RNG, in addition to the other sources (on
Linux, /dev/urandom is used, as is the .rnd seed stored in the users'
homedir.)
2) A inept bug fix by Debian.
... by *a Debian contributor*. Debian is one of the largest Free Software
projects out there; it's not ideal to attribute ineptness to the whole
because of this incident. I'm sure that questions are being asked, however.
The only 100% way I know to get a really random number in a PC is a 3.3V
> zener diode (white noise generator) read by a 50 cent PIC A/D converter
> then read via USB or I2C by the OS, or whatever other A/D converter may be
> available. I use a zener for filter and frequency response testing from 10Hz
> to 2GHz. A zener feeding a wideband amplifier with a BNC socket.
The point isn't to generate "a really random number", it's "to generate a
number which is sufficiently unpredictable to render remote guessing
attempts sufficiently difficult". Sources like /dev/urandom generally make
use of entropy sources which are *extremely* difficult to replicate or guess
at, and as such are almost as good as a true physics-based RNG from the
point of view of a PKI.
Colm
--
Colm Buckley / colm at tuatha.org / +353 87 2469146
Maintained by the ILUG website team. The aim of Linux.ie is to
support and help commercial and private users of Linux in Ireland. You can
display ILUG news in your own webpages, read backend
information to find out how. Networking services kindly provided by HEAnet, server kindly donated by
Dell. Linux is a trademark of Linus Torvalds,
used with permission. No penguins were harmed in the production or maintenance
of this highly praised website. Looking for the
Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
