Re: [debian-devel] Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?

To: John Hasler <john@dhh.gt.org>, debian-devel@lists.debian.org
Subject: Re: [debian-devel] Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?
From: Magosányi Árpád <mag@bunuel.tii.matav.hu>
Date: Sun, 4 Jan 2004 23:42:52 +0000
Message-id: <[🔎] 20040104234252.GA21505@bunuel.tii.matav.hu>
In-reply-to: <[🔎] 87d69zqs2i.fsf@toncho.dhh.gt.org>
References: <200312181128.NAA12752@home.ntrl.net> <[🔎] 200401042231.40765.russell@coker.com.au> <[🔎] 20040104115924.GA8139@steve.org.uk> <[🔎] 200401042304.16073.russell@coker.com.au> <[🔎] 20040104130152.GC32523@nenya.lan> <[🔎] 20040104194253.GA15389@bunuel.tii.matav.hu> <[🔎] 87d69zqs2i.fsf@toncho.dhh.gt.org>

A levelezőm azt hiszi, hogy John Hasler a következőeket írta:
> > -an "entropy friendly" /dev/?random for "not so important for security"
[]
> Your "not so important for security" programs will suck up all the entropy

By "entropy friendly" I meant an implementation which trades off using
less entropy for being a bit more predictable. I guess that a
"cryptographycally good" (in the sense /dev/urandom works when there
is no entropy) random number generator reseeded only now and then
might be enough in some cases for generating those magic values to the stack.
It depends on two factors I can think of:
-The desperation of the attacker. It is site-dependent.
-The "next best" way to crack the program. I am definitely not expert
 in cryptography, but given the fact that stack smashing is only one way to
 make the program go crazy, the needed amount of entropy might be quite low
 to keep stack smashing as not the best.

> via /dev/urandom and then keep going, running on what they get from the prng.
> Meanwhile, the important programs that were depending on /dev/random will
> be stalled, waiting for the entropy pool to refill.
> 
> Perhaps the kernel should cut /dev/urandom off from the entropy pool when
> it reaches some low-water mark. 

It is one way to create such an entropy-friendly device.

-- 
GNU GPL: csak tiszta forrásból

Reply to:

Follow-Ups:
- Re: [debian-devel] Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: John Hasler <john@dhh.gt.org>

References:
- Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: Russell Coker <russell@coker.com.au>
- Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: Steve Kemp <skx@debian.org>
- Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: Russell Coker <russell@coker.com.au>
- Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: Richard Atterer <richard@list04.atterer.net>
- Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: Magosányi Árpád <mag@bunuel.tii.matav.hu>
- Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?
  - From: John Hasler <john@dhh.gt.org>

Prev by Date: Re: MIA, Incompetent and holiday-loving maintainers (was: Request for NMUs.)
Next by Date: Re: Bug#225999: ITP: debsync -- installed packages synchronization tool
Previous by thread: Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?
Next by thread: Re: [debian-devel] Re: [debian-devel] Re: SSP for Debian unstable. was Re: security enhanced debian branch?
Index(es):
- Date
- Thread