krb5 and PRNGs
Greg Hudson
ghudson at MIT.EDU
Tue Sep 21 18:07:19 EDT 2010
On Tue, 2010-09-21 at 17:48 -0400, Nicolas Williams wrote:
> > We don't use /dev/urandom directly to generate keys. I assume this is
> > out of concern that /dev/urandom might not be cryptographically
> > strong--that is, an attacker might be able to look at some of its
> > output, recover the internal state of the kernel's PRNG, and know all
> > of the subsequent outputs. If /dev/urandom can be attacked in this
>
> No, that's not correct.
What's not correct? /dev/urandom *should* have all of the properties
you mentioned, but if we're willing to assume that, why not just use it
directly for keys?
Keep in mind that in the section you quoted, I am trying to intuit the
design intent of an architecture I myself did not have a hand in; I'm
not articulating my own views.
> Applications can only do so much to make up for limitations of the host
> OS' entropy services. I'd say: use /dev/random to seed Yarrow/Fortuna,
> and be done.
Currently, we treat /dev/random as sufficiently precious that we are not
willing to use it every time the krb5 library is fired up, only for very
limited purposes (kadmind and kdb5_util create). We really do
use /dev/urandom to seed Yarrow, most of the time.
Also, the whole point of my message is to call into question the
applicability of the Yarrow/Fortuna reseed logic to Kerberos. Saying
"use /dev/random to seed Yarrow/Fortuna, and be done" sidesteps the
fundamental issue.
More information about the krbdev
mailing list