[linux-elitists] ssh hygiene

Steve Beattie steve@wirex.net
Tue Apr 30 12:25:02 PDT 2002


On Tue, Apr 30, 2002 at 11:34:14AM -0700, Aaron Lehmann wrote:
> One major issue about ssh's security that I've been meaning to bring
> up is its abuse of semi-secure random number. Rather than using
> Linux's urandom device directly, or, perhaps better, using the random
> device and blocking until bits are available, it seeds its own RNG
> with a few bytes from urandom. This really sucks. First of all,
> urandom is just a random number generator seeded by the random device,
> which is thought to have a good amount of entropy. 

Unless its changed in recent kernels, that's not quite correct.  As I
understand it, /dev/urandom emits the same data as /dev/random until
the entropy pool runs out, and only then does it emit PRNG data instead
of blocking. The FreeSwan people are always whinging about this because
applications that don't need cryptographically strong random numbers and
use /dev/urandom still drain the kernel's entropy pool and cause
applications that do need strong random numbers and use /dev/random to
block waiting for more entropy to be collected.

The problem with using /dev/random directly is that for things like
firewalls (where you really care about security), there may not be a lot
of sources of entropy (no mice, no harddisks). That said, perhaps it
should be a configurable option.

> After all, the SSL in early versions of netscape was broken through
> a crappy PRNG.

Actually, IIRC, the weakness in netscrape's PRNG ssl implementation was
due to seeding it with gettimeofday(), not that it was cryptographically
weak.

-- 
Steve Beattie                               Don't trust programmers? 
<steve@wirex.net>                         Complete StackGuard distro at
http://NxNW.org/~steve/                            immunix.org
http://www.personaltelco.net -- overthrowing QWest, one block at a time.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://allium.zgp.org/pipermail/linux-elitists/attachments/20020430/46d707de/attachment.pgp 


More information about the linux-elitists mailing list