Bugtraq mailing list archives
Re: Bad PRNGs revisted in FreSSH
From: Damien Miller <djm () MINDROT ORG>
Date: Thu, 15 Feb 2001 14:44:59 +1100
On Wed, 14 Feb 2001 tls () REK TJLS COM wrote:
I don't think I need to tell people on this listwhy that's absolutelyhorrible; I'm just pointing out that code isstill released today withcrap like this. I would have thought we'dlearned this lesson yearsago with the AFS, krb4, Netscape, et alvulnerabilities. YOu know what? I happen to agree with you -- so far as this not being a particularly lovely way to seed a PRNG goes. Due to a miscommunication, some documentation of why one *really* oughtn't use this fallback method wasn't included in the public FreSSH distribution -- thankfully, since just about everyone in the world *does* have a /dev/random (whatever name it's called by; this code is in an OS-dependent source file that has the appropriate name for the OS in question in it) just about nobody does get stuck with this.
If only this was the case! AIX, HP/UX, Solaris (without addons) and most other commerical Unices lack /dev/random so this fallback is almost certain.
However, some more notes on what they get stuck with: * worst-case, it degenerates to the internal seeding of the OpenSSL PRNG, even if we fed it _nothing_ else at all. OpenSSL doesn't really suck about this.
OpenSSL's random number routines don't suck, but they don't do any real seeding of their own. Fortunately recent versions will fail when attempting to obtain randomness when the PRNG has not been correctly seeded, Unfortunately the bad code mentioned may pump enough bytes into the PRNG for it to consider itself seeded - thus losing OpenSSL's protection.
* it doesn't _quite_ degenerate to just the code you pasted above; several timings are mixed in, not just at seed time but over the course of the daemon's run.
Have you estimated the total entropy supplied by this seeding activity? It needs to be (at the very least) greater than the entropy consumed in generating 1) long term server keys 2) 'ephemeral' server RSA keys 3) session keys -d -- | Damien Miller <djm () mindrot org> \ ``E-mail attachments are the poor man's | http://www.mindrot.org / distributed filesystem'' - Dan Geer
Current thread:
- Bad PRNGs revisted in FreSSH Charles M. Hannum (Feb 13)
- <Possible follow-ups>
- Re: Bad PRNGs revisted in FreSSH tls (Feb 14)
- OS snobbery... (was Re: Bad PRNGs revisted in FreSSH) Valdis Kletnieks (Feb 15)
- Re: OS snobbery... (was Re: Bad PRNGs revisted in FreSSH) Thor Lancelot Simon (Feb 15)
- Re: OS snobbery... (was Re: Bad PRNGs revisted in FreSSH) Lars Hecking (Feb 15)
- OS snobbery... (was Re: Bad PRNGs revisted in FreSSH) Valdis Kletnieks (Feb 15)
- Re: Bad PRNGs revisted in FreSSH Damien Miller (Feb 15)
- Re: Bad PRNGs revisted in FreSSH Andrew Brown (Feb 15)
- Re: Bad PRNGs revisted in FreSSH Joe Laffey (Feb 15)
- Re: Bad PRNGs revisted in FreSSH Ulf Moeller (Feb 15)
- Re: Bad PRNGs revisted in FreSSH Thor Lancelot Simon (Feb 15)