On Thu, January 9, 2014 17:52, m.roth@xxxxxxxxx wrote: > Robert Moskowitz wrote: >> >> On 01/09/2014 05:28 PM, John R Pierce wrote: >>> On 1/9/2014 2:20 PM, Eero Volotinen wrote: >>>> It might be easier to compromise security of commercial products as >>>> source code is not available. they seem to have succeeded in compromising >>>>> STANDARDS and ALGORITHMS, to heck with implementations. >> >> Only algorithm they compromised was an RNG that got pretty strong thumbs >> down from the real cryptographers. They have not compromised any IETF >> standard; maybe kept quite about a problem, but have not put holes in >> any. Most of our problems with TLS is implementations and backwards >> compatiblity options. > > Not quite - anyone mandated to POSIX standards are effectively mandated to > use the compromised algorithms, as I understand it. > > mark Well, regardless of my thoughts on the ethics of this situation and my opinion about those who do these sorts of things, I have continued to research this issue. I have discovered that there is a great deal of literature respecting the weakness of the RNG and PRNG processes implemented on headless hosts, in particular headless hosts that are virtualised. Given the essential nature of true random number generation to cryptographically secure key creation this represents a significant weak point on such hosts. I am not going to reiterate or summarize any of this here because you can find these discussions easily enough via Google. However, I have developed a small script to alleviate the problem to some degree based on the writings and works of others. This requires the epel repository be enabled: #!/bin/bash cat /proc/sys/kernel/random/entropy_avail yum install dieharder haveged rng-tools -q -y cat /etc/sysconfig/rngd sed -i 's:EXTRAOPTIONS="":EXTRAOPTIONS="-r /dev/urandom":' /etc/sysconfig/rngd cat /etc/sysconfig/rngd chkconfig --level 2345 haveged on ; chkconfig --level 2345 rngd on service haveged start ; service rngd start cat /proc/sys/kernel/random/entropy_avail This increased the mean amount of entropy present in /dev/random on the systems I installed these packages on from ~176 bits to ~2048 bits. I continue to look into other related matters. -- *** E-Mail is NOT a SECURE channel *** James B. Byrne mailto:ByrneJB@xxxxxxxxxxxxx Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 _______________________________________________ CentOS mailing list CentOS@xxxxxxxxxx http://lists.centos.org/mailman/listinfo/centos