Bugtraq mailing list archives
Re: Tempfile vulnerabilities
From: lbudney-lists-bugtraq () NB NET (Len Budney)
Date: Thu, 3 Feb 2000 14:18:56 -0500
Theo de Raadt <deraadt () CVS OPENBSD ORG> wrote:
Crypto software which uses [/dev/random] devices should be doing some kind of checking to make sure that they are getting at least good entropy.
/dev/random will not emit bytes below some entropy threshold. Somebody draining /dev/random amounts to a DOS attack; it will begin emitting at a snail's pace, and users of /dev/random will contend for the scarce bytes. If lower entropy is acceptable, /dev/urandom will invoke a PRNG to keep emitting, even when the entropy pool is depleted. The output of /dev/urandom passes the diehard tests reasonably well, and should be acceptable for most non-cryptographic applications. Of course, as Werner Koch already indicated, casual applications of "random numbers" should not waste the entropy pool. Len. -- Bandwidth is bad for the same reason that most programs are so slow: programmers _guess_ where the bottlenecks are rather than _profiling_. -- Dan Bernstein
Current thread:
- Statistical Attack Against Virtual Banks, (continued)
- Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- Re: Statistical Attack Against Virtual Banks HC Security (Feb 08)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- Re: Statistical Attack Against Virtual Banks HC Security (Feb 09)
- Re: Statistical Attack Against Virtual Banks Swift Griggs (Feb 09)
- Re: Statistical Attack Against Virtual Banks Andre L. Dos Santos (Feb 08)
- SCO OpenServer SNMPD vulnerability NAI Labs (Feb 07)
- Re: Tempfile vulnerabilities Werner Koch (Feb 02)
- Re: Tempfile vulnerabilities Chris Cappuccio (Feb 03)
- Cross Site Scripting security issue Robert Zilbauer (Feb 02)
- Re: Tempfile vulnerabilities Len Budney (Feb 03)
- Re: Tempfile vulnerabilities antirez (Feb 05)
- Re: Tempfile vulnerabilities Ian Turner (Feb 07)
- Re: Tempfile vulnerabilities Seth David Schoen (Feb 07)
- Remote access vulnerability in all MySQL server versions Robert van der Meulen (Feb 08)
- don't run random "exploit" code Marc Slemko (Feb 08)
- cookies - nothing new Steven Champeon (Feb 07)
- Re: cookies - nothing new MJE (Feb 08)
- Re: Tempfile vulnerabilities Peter Berendi (Feb 08)
- Re: Tempfile vulnerabilities Marc Lehmann (Feb 08)