| 1 |
On Sunday 22 October 2006 06:16, Richard Freeman wrote: |
| 2 |
> 3. Generate a random encryption key (WHOA - why on earth is that script |
| 3 |
> using urandom for this - it only pulls 18 bytes - I just changed it to |
| 4 |
> /dev/random in mine (more secure in the event the entropy pool gets low |
| 5 |
> - although normally they are the same)). For those not in the know, |
| 6 |
> /dev/random blocks if it runs out of entropy, but /dev/urandom just |
| 7 |
> gives out a less random value. If you need 50MB of random data you have |
| 8 |
> to use urandom if you don't want to freeze the system for 12 hours, but |
| 9 |
> for 18 bytes we can afford to wait for quality data. |
| 10 |
|
| 11 |
Nice catch. At this point in booting we should have plenty of entropy in the |
| 12 |
random pool. Would be wise to start service random a few steps back to make |
| 13 |
sure it's really random and not boot-sequence-pridictable-random, although |
| 14 |
the script is plenty paranoid. |
| 15 |
> |
| 16 |
> 4. /dev/(u)random dumps binary data - losetup wants something more sane |
| 17 |
> as a key, so uuencode is used to convert to text. No source of |
| 18 |
> compromise here - the original data was random so the uuencoded data is |
| 19 |
> still random (it is now constrained in potential output values, but is |
| 20 |
> longer which compensates). |
| 21 |
I actually ran this script many times without uuencode, just passing the |
| 22 |
random string to losetup without any complaints. glad i have uuencode now |
| 23 |
though ;) |
| 24 |
|
| 25 |
-Jason |
| 26 |
|
| 27 |
-- |
| 28 |
gpg public key: http://lazybird.hyperintelligent.net/~jbooth/jbooth_key.asc |
| 29 |
|
| 30 |
-- |
| 31 |
gentoo-amd64@g.o mailing list |
Archives