Re: /dev/random is probably not

[Jack Lloyd <lloyd () randombit net>]

On Sun, Jul 03, 2005 at 12:39:30PM -0700, Zow Terry Brugger wrote:

> It's been a while since I looked at the /dev/random design on Linux (probably 
> the early 2.4 days), however one thing that was quite clear was that they did 
> not use any network I/O as entropy sources because an attacker, particularly 
> one that already had control of other machines on the same LAN segment, could 
> have a high degree of control over that source. I would be most interested if 
> that has changed since the last time I looked at it.

ISTR that grsecurity has toggles that enable gathering entropy from network
traffic. Assuming the PRNG is any good, it shouldn't matter if an attacker can
manipulate such timings, because (by definition) a good PRNG will still behave
correctly even if an attacker does feed it lots of deliberately bad data (as
long as the PRNG also has been fed with a sufficient amount of unguessable
'good' input as well, of course).

[...]
> >    Windows family OSs.
>
> All I can observe here is that F-secure SSH still (at least the most recent 
> version I've used) collects its own entropy when running on Win2K, which 
> indicates to me that either they want to operate the same on all Windows 
> versions (as memory serves, Win95/98 does not have a RNG), or that Win2k does 
> not have a suitable RNG.

Only Win95 pre OSR2 is missing CryptoAPI (and specifically CryptGenRandom).
However, it's my understanding that early versions of CryptGenRandom were not
that great.

-Jack