A cryptographically secure hash function works wonders for this. For each entropy sample: State = H(State + Entropy).
Heartbleed-like = something providing read-only access to memory containing state (not necessarily kernel, e.g. arc4random-like)
-
-
Sure, but that isn't affected by the mixing function itself. Memory disclosure of state wins against any entropy source.
-
Doesn't matter if I use RDRAND -> xor -> state -> PRNG, or keybd timings -> sha1 -> stare -> PRNG. Exposed state = you lose.
-
Indeed, perhaps there are no cases where you don't lose more than exposed state already lost you.
-
One example might be when the attack process is sandboxed some way that precludes exfil.
-
See, sandboxes make this more fun, because gathering entropy in them is super hard. You need to expose entropy to them safely.
-
A consideration in multi-core systems with HRNGs is proper synchronisation of the HRNG to prevent parallel reading of the output
-
Since if core 0 is executing untrusted code in a sandbox, unsynchronised access would allow RNG output sniffing of other code.
-
Trivially exploitable, too. Poll RNG in a tight loop from the attacking core. Sliding window over them. Job done.
End of conversation
New conversation -
-
-
If you can steal the state, there's an opportunity to try to provide bad data to be mixed, with vast computing resources.
-
If you can steal the state then you can predict random numbers until the next reseed anyway. But yes, that's why you use a hash.
-
If you control all the entropy going in then you win anyway. If you control all but a single good entropy source then you lose.
-
to break you'd need a break in H such that H(s+u+q) is predictable, where u is an unknown, s is known & q is a value you picked.
-
s being the state, u being the unpredictable output of a good entropy source, and q being bad entropy from you.
-
Or worse, you'd need to make H(H(s+u)+q) predictable. Which would be a ludicrous break of the hash.
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.