New feature: remote entropy gatherer port
Lutz Jaenicke
Lutz.Jaenicke at aet.TU-Cottbus.DE
Wed Oct 3 18:18:52 EST 2001
On Tue, Oct 02, 2001 at 03:14:40PM -0500, mouring at etoh.eviladmin.org wrote:
> This has been talked about before (actually joked about because PRNGd
> supports this idea with maybe a tweak or two), but the main question is
> the security of the matter. How easily would it be to insert a
> predicatable set of information into this 'unencryption' data streem in
> order to weaken the encryption. Or just as bad someone hijacking the IP
> of the box and feeding predictable data out to all clients.
>
> What if your 'entropy host' is down (crashed machine, DoSed, etc).. Do you
> really wish to trust entropy collection off your machine? I'd rather see
> OSes implement the right kernel level tools instead of giving them an
> excuse to say it is not required.
>
> I'd rather not see anything like this go into the portable tree. It will
> end up being yet another option for uninformed people to use and screw up.
> And thus blame on us for their lack of understanding (much like KeepAlive
> and friends <sigh>).
Please let me express my full support for your statement. In your discussion
you left out the typical sniffer problem: if somebody sniffs the entropy
downloaded from the entropy server, it is not worth anything anymore.
(Of course you could download the entropy over an encrypted channel, but
then you won't need the entropy anymore :-)
PRNGd does not support remote ports and it will never do, for the reasons
just stated. TCP port support was only added to help people without
UNIX sockets anyway.
Best regards,
Lutz
(If you want to support a locally running PRNGd (or EGD) from a remote
source, you my easily add some network command to the list of gatherers
or use the "upload entropy" function to feed it into the pool. The security
point of view has just been discussed.)
--
Lutz Jaenicke Lutz.Jaenicke at aet.TU-Cottbus.DE
BTU Cottbus http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus Fax. +49 355 69-4153
More information about the openssh-unix-dev
mailing list