Re: [patch 0/2] Add Fortuna PRNG to pgcrypto - Mailing list pgsql-patches

From Marko Kreen
Subject Re: [patch 0/2] Add Fortuna PRNG to pgcrypto
Date
Msg-id 20050708224247.GA21218@l-t.ee
Whole thread Raw
In response to Re: [patch 0/2] Add Fortuna PRNG to pgcrypto  (Bruno Wolff III <bruno@wolff.to>)
List pgsql-patches
On Fri, Jul 08, 2005 at 03:12:59PM -0500, Bruno Wolff III wrote:
> On Fri, Jul 08, 2005 at 23:03:49 +0300,
>   Marko Kreen <marko@l-t.ee> wrote:
> >
> > Well, those OS'es that already have urandom/random, don't need
> > it.  And those that don't - I really don't feel responsibility
> > to write one...
>
> But fortuna is essentially a high quality /dev/urandom. It doesn't make seem to
> much sense to implement it on top on /dev/urandom.

Ah, the chain /dev/urandom -> Fortuna -> result irritates you?

The main reason for Fortuna is to cover OS'es that don't have
/dev/random.  Currently only Win32 is adequately covered as it
provides it's own hardware random for seeding.  On others
the output is theoretically weak, but the silly randomness plus
hashing user data (which is supposedly secret) and key (ditto)
should provide 'Good Enough for 99% cases' randomness.

Now - for /dev/random OS'es: ofcourse, if the /dev/urandom works,
I could skip all of the Fortuna and use that directly, but I don't
see the need for that.  I even see disadvantage in doing that.

First, I prefer /dev/urandom to /dev/random (in Linux terms).
The /dev/random advantade is too theoretical for me - not worth
the practical disadvantage.  But following applies to it too.

While there is hardware-backed entropy available the urandom
gives true randomness - no way to predict it.  If the entropy
is drained, it degenerates into PRNG (although very good one).

The danger is, that if it runs as PRNG, some resourceful
'interested party' can read some of the output and then
predict what the next user will get or what some other user
got before.  So it is pretty important not to drain all
entropy from it.  /dev/random avoids this with blocking,
but IMHO urandom has state large enough to allow running
as a PRNG some time.

Now consider following scenario: you have 30 clients connected
to the server, each encryption something occasionally.
The current reseed delay is 3h - the result is that on
average, after every 6 seconds someone asks 256 bits from
/dev/urandom.  This pretty much guarantees that entropy
will be drained - especially on an unattanded server.
The situation would be much worse if they all read directly
from /dev/urandom.

And here's the key difference  - if they read directly from
/dev/urandom they all have PRNG with same state.  If someone
observes enough of the output from there to predict what
others get, he can.  But when using Fortuna inside pgcrypto:

- Each user (connection) will have different state.
- There is bigger chance that seeding from /dev/urandom
  has true entropy in it.

So even if someone predicts one state, it has no effect
on other users.  Ok, this is not exatly true when using
pooled connections - attacker could predict what the previous
user got or what next one will, but the fact that other
states are not compromised still stays.

OK, all this is rather theorethical.  Practically speaking,
if we need to have Fortuna anyway, we may as well be better
OS citizens by using it on /dev/urandom too.

--
marko


pgsql-patches by date:

Previous
From: Tom Lane
Date:
Subject: Re: Autovacuum integration
Next
From: jtv@xs4all.nl
Date:
Subject: Re: patch: garbage error strings in libpq