On 01/24/2010 07:17 AM, Roscoe wrote: > Has there been much consideration as to this matter within OS > installers? Does anyone suspect any latent issues? > > If we take a Debian text installs with no network, that removes NIC > generated interrupts and the mouse as sources of entropy, and > considering setting up partitions [and consequently LUKS/LVM/RAID] is > one of the first things you do within the installer, I start to become > a bit suspicious of the quality of the 512 MK bits pulled for > AES-256-XTS. Yes, this is interesting problem, just adding some notes: (please correct me if I am wrong in some points) - cryptsetup uses /dev/urandom, so volume key quality really depends on RNG here, exactly the same like all other key generation during install - cryptsetup/libcryptsetup supports now --master-key-file, you can use your own pre-generated volume (master) key if you wish. (Another reason was ability to reformat LUKS header with only MK knowledge) (Side note about plain (non-LUKS) mode with random key: if initscripts forgot to re-seed RNG, various low-entropy attacks are possible during system boot. Encrypted swap is usually initialised before network and other source of entropy are started! Initscript must initialise plain encrypted device in two steps - first fs where is the RNG seed stored, reseed RNG, and then format encrypted devices using random key.) (and in fact, cryptsetup cannot do any statistical tests for RNG, input is too small, so it must trust kernel here IMHO) - maybe someone should also describe RNG when system is in FIPS140 mode then (RNG initialisation and approved RNG are exactly defined, IIRC RNG must not produce any output if not properly seeded etc.) - maybe distribution can run some RNG tests also in installer before generating key? (I mean e.g. rngtest from rng-tools, or http://csrc.nist.gov/groups/ST/toolkit/rng/documentation_software.html or http://www.phy.duke.edu/~rgb/General/dieharder.php and from this "verified" source pre-generate MK for cryptsetup luksFormat...) Milan _______________________________________________ dm-crypt mailing list dm-crypt@xxxxxxxx http://www.saout.de/mailman/listinfo/dm-crypt
