The following security advisory is sent to the securiteam mailing list, and can
be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Holes in the Linux Random Number Generator
------------------------------------------------------------------------
SUMMARY
This new paper which is about to appear later this month (May, 2006) on
the IEEE security and privacy conference describes holes in Linux's random
number generator, as well as a clear description of the Linux /dev/random.
DETAILS
The Linux random number generator is part of the kernel of all Linux
distributions and is based on generating randomness from entropy of
operating system events. The output of this generator is used for almost
every security protocol, including TLS/SSL key generation, choosing TCP
sequence numbers, and file system and email encryption.
Although the generator is part of an open source project, its source code
(about $2500$ lines of code) is poorly documented, and patched with
hundreds of code patches.
We used dynamic and static reverse engineering to learn the operation of
this generator.
<http://www.gutterman.net/publications/GuttermanPinkasReinman2006.pdf>
This paper presents a description of the underlying algorithms and exposes
several security vulnerabilities. In particular, we show an attack on the
forward security of the generator which enables an adversary who exposes
the state of the generator to compute previous states and outputs. In
addition we present a few cryptographic flaws in the design of the
generator, as well as measurements of the actual entropy collected by it,
and a critical analysis of the use of the generator in Linux distributions
on disk-less devices.
Our main results are:
1. Clear description of the Linux /dev/random (Which was far from trivial
and very complex).
2. Attack on /dev/random forward security (which is mostly theoretic at
the moment because it requires break-in to the computer but is very simple
to mount and break an important block in almost any crypt algorithm).
3. Concerning findings about the Linux software engineering process
regarding security.
Vendor Status:
The Linux moderator of /dev/random did not answer our attempts at
contacting him.
ADDITIONAL INFORMATION
This is a joint work of Zvi Gutterman, Benny Pinkas and Tzachy Reinman to
appear in IEEE S&P (Oakland Conference), May 2006.
The paper can be downloaded from:
<http://www.gutterman.net/publications/GuttermanPinkasReinman2006.pdf>
http://www.gutterman.net/publications/GuttermanPinkasReinman2006.pdf
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to:
list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to:
list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.
