Re: Paper on potential security issues with the linux kernel PRNG

To: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>
Cc: debian-security@lists.debian.org
Subject: Re: Paper on potential security issues with the linux kernel PRNG
From: Florian Weimer <fw@deneb.enyo.de>
Date: Sat, 14 Feb 2009 13:20:11 +0100
Message-id: <[🔎] 87hc2xnrb8.fsf@mid.deneb.enyo.de>
In-reply-to: <[🔎] 20090212163010.e6483d0c.michael.s.gilbert@gmail.com> (Michael S. Gilbert's message of "Thu, 12 Feb 2009 16:30:10 -0500")
References: <[🔎] 20090212163010.e6483d0c.michael.s.gilbert@gmail.com>

* Michael S. Gilbert:

> I just came across a reference [1] on potential flaws in the linux

([1] is based on Linux 2.6.10.)

> kernel PRNG (Pseudo-Random Number Generator).  Does anyone know if
> CVE's have been issued for these problems and/or whether they have been
> fixed either upstream or in debian?  If not, someone should issue
> requests for CVE's.  Thanks for any thoughts.

The German Federal Office for Information Security, BSI, has reviewed
the /dev/random PRNG in the Linux 2.6.21.5 version and recommends its
use (BSI TR-02102, version 1.0, published 2008-06-20).  I suppose this
means the flaws you referred are no longer present or not practically
relevant, but I haven't read the code myself.

Reply to:

References:
- Paper on potential security issues with the linux kernel PRNG
  - From: "Michael S. Gilbert" <michael.s.gilbert@gmail.com>

Prev by Date: 256-bit Camellia vs 256-bit AES - Which is better?
Next by Date: Re: [Evolution] Bug#508479: evolution shows a SMIME signed messages as ok even if modified
Previous by thread: Paper on potential security issues with the linux kernel PRNG
Next by thread: Potential expoits via application launchers (aka .desktop files)
Index(es):
- Date
- Thread