Skip Menu |

To: krb5-bugs@MIT.EDU
Subject: be a little less paranoid with PRNG seeding
From: Ken Raeburn <raeburn@MIT.EDU>
Date: Fri, 03 Mar 2006 18:41:03 -0500
Currently kadmind reads data from /dev/random every time it starts up
to seed the Yarrow PRNG. Not once per N keys generated, nor once per
N minutes of run time, but at every startup. In maintenance, testing
or other cases where restarts are fairly frequent compared to actual
key generation, this is a waste. It would probably be safe to save
some state (originally initialized from /dev/random of course), update
from /dev/urandom at process startup and occasionally thereafter. If
an attacker can get at the state file, they can probably get at the
master key, too.

If insufficient random bits have been generated by the system since
boot time, the read of /dev/random will block. This has occasionally
caused dejagnu test failures when kadmind doesn't start up fast enough
for the timeout settings, but now Tracy is reporting (via Zephyr at
CMU) 25-45 *minute* startup times for kadmind on some NetBSD 3.0

Probably dealt with by #4693 (already fixed) and #1233 (in progress)