"Why does ntpkeygen pass a low entropy ignored seed into SystemRandom?""

Gary E. Miller gem at rellim.com
Wed Jan 4 04:31:39 UTC 2017 

Yo Greg!

On Wed, 04 Jan 2017 04:19:58 +0000
Greg Rubin <grrubin at gmail.com> wrote:

> Gary,
> 
> I'll admit that I'm not a python expert by any means, but I'm pretty
> certain that the seed is ignored:
> http://svn.python.org/projects/python/tags/r30rc1/Lib/random.py
> 
> class SystemRandom(Random):
> ...
> def seed(self, *args, **kwds):
> "Stub method.  Not used for a system random number generator."
> return None

As the man page says, SystemRandom() does not use seed()

https://docs.python.org/2/library/random.html

"Accordingly, the seed() and jumpahead() methods have no effect and
are ignored."

> While you're correct that mixing in poor entropy /should/ be safe
> (and in this case it is, because it is ignored)

NOT ignored.  I'll be happy to cite Python source if you want to dig
in with me.

> that is less often
> true for initially provided seeds. There have traditionally been
> cases (Java SHA1PRNG, for example) which if initialized with an
> explicit seed will use that rather than properly self-seeding with
> strong entropy. After the initial seed it would properly mix in even
> weak entropy.

SystemRandom() calls os.urandom() that calls /dev/urandom. /dev/urandom
does not take a seed.  The 'seed' is just used later as a mixer, so it
is not really a 'seed'.

> As far as the argument about the differences between random and
> urandom, assuming your aren't generating your long-term keys on a
> fresh virtual machine, there should be no practical security
> difference between random and urandom. I find this essay does an
> excellent job of explaining with urandom is preferable:
> http://www.2uo.de/myths-about-urandom/

I'll look at that.  Probably a good thing to add some documentation
about only running on hosts that already have a lot of entropy.

How about we ask the user to add some command line entropy too?

Got any good ideas on some other good entropy to stir into the mix?

> Finally, modern Linux kernels will use Intel RDRAND as part of the
> input into both random and urandom, so either way, you have excellent
> entropy mixed in (even on virtualized systems).

Oh, do not get me started on RDRAND.  RDRAND is commonly thought to
be backdoored:

http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/

> Hope that helps.

Yes, you ave given me a nice project.  I love paranoid people!


RGDS                                                 Veritas liberabit
vos GARY                                                     Quid est
veritas?
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com  Tel:+1 541 382 8588
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20170103/54929c12/attachment.bin>

More information about the devel mailing list