[cryptography] Duplicate primes in lots of RSA moduli

Nico Williams nico at cryptonector.com
Mon Feb 20 14:21:08 EST 2012


On Mon, Feb 20, 2012 at 7:07 AM, Ben Laurie <ben at links.org> wrote:
> In FreeBSD random (and hence urandom) blocks at startup, but never again.

So, not exactly a terribly wrong thing to do, eh?  ;)

What OSes have parallelized rc script/whatever nowadays?  Quite a few,
it seems (several Linux distros, MacOS X, Solaris, maybe some BSDs?

It seems to me that it should be quite safe to arrange for either a)
services that depend on /dev/urandom to not start until after [that
is, to depend on a service that does] proper seeding of it, or b)
/dev/urandom to block, but only early in boot, until properly seeded.
This is precisely why looking after the whole system is important; a
holistic view of the system will lead the developers to ensure that
there is enough entropy before any services (or user programs) run
that might need it.  And since user programs are outside the control
of the init process, it seems that (b) is the safer approach.

> One thing I'd really like to know is whether it would have ever
> unblocked on these devices - and if it does, whether it ends up with
> good entropy...

But devices like that really should have a) a factory seed (different
on each device, and obtained from a CSRNG), b) a clock and/or stable
storage for a counter so that it is possible to ensure distinct PRNG
state after each boot.  There are other cases where we may not be able
to rely on a factory seed, such as VMs and laptops.  (Well, at least
for pre-built VM images one could treat them like embedded devices and
embed a per-image seed...)

Nico
--



More information about the cryptography mailing list