[Pkg-sysvinit-devel] fundamental properties of entropy

Henrique de Moraes Holschuh hmh at debian.org
Thu Sep 16 04:18:02 UTC 2010


On Wed, 15 Sep 2010, John Denker wrote:
> > Part 1: enough stored entropy to use as "seed material" (4Kib for Linux)
> > that is unknown to the attacker.
> > 
> > Part 2: something that is unique to this specific device among all others.
> > 
> > Part 3: something that is provably different each time this specific device
> > is rebooted, i.e. each time there has been an irreversible loss of state.
> 
> There are two possibilities: 
> 
> a) If the stored material in Part 1 is unique on a per-machine 
>  basis, Part 2 is pointless.

However, that thread was not a theory, but an engineering thread.

Part 1 is assumed to have malfunctioned (we have more failure modes that
can cause it than I would care to list), or we would have no need for
anything else, indeed.  BTW, part 1 IS what we currently have.  Only, it
happens somewhat later in the boot process than I'd like.

> b) If the stored material in Part 1 is cloned from machine to
>  machine, this doesn't make sense, because it is not entropy.

But that's what happens when people copy live-CDs/DVDs or VM images
around, etc.  Part 1 is either missing, or non-unique (and known) at
least on the first boot, or invariant...

>  Calling it "stored entropy" does not make it so.  It is not
>  entropy and it is not secure.  Adding Part 2 and/or Part 3
>  cannot make it secure.

Which was addressed in the thread.  Part 2/3 are NOT about security,
they're about keeping some variance on the data retrieved from the
random-numbers kernel subsystem across reboots of the same
real-entropy-starved device, and also on syncronized boots of several
nearly-identical real-entropy-starved devices.

> There is a fundamental principle in the cryptography / security
> business says that you cannot make something secure by throwing
> together a whole bunch of insecure elements.  You can make it

I am well acquinted with that...

> I started a new thread because I am happy to have a wide-ranging
> discussion of fundamental principles of security, cryptology,
> and physics ... but I don't want it to be mistaken for a review 
> of the recently-submitted patches.

Ok, so other replies better stick to just the beggining of your post
(which I didn't reply to, as this subthread should not continue).

> I reckon that understanding the fundamental properties of
> entropy may be a prerequisite for reviewing the patches, but 
> it is not the same thing.

In that we agree fully...

-- 
  "One disk to rule them all, One disk to find them. One disk to bring
  them all and in the darkness grind them. In the Land of Redmond
  where the shadows lie." -- The Silicon Valley Tarot
  Henrique Holschuh



More information about the Pkg-sysvinit-devel mailing list