[CentOS] Can we trust RedHAt encryption tools?

Fri Jan 10 21:10:14 UTC 2014
James B. Byrne <byrnejb at harte-lyne.ca>

On Thu, January 9, 2014 17:52, m.roth at 5-cent.us wrote:
> Robert Moskowitz wrote:
>>
>> On 01/09/2014 05:28 PM, John R Pierce wrote:
>>> On 1/9/2014 2:20 PM, Eero Volotinen wrote:
>>>> It might be easier to compromise security of commercial products as
>>>> source code is not available. they seem to have succeeded in compromising
>>>>> STANDARDS and ALGORITHMS, to heck with implementations.
>>
>> Only algorithm they compromised was an RNG that got pretty strong thumbs
>> down from the real cryptographers.  They have not compromised any IETF
>> standard; maybe kept quite about a problem, but have not put holes in
>> any.  Most of our problems with TLS is implementations and backwards
>> compatiblity options.
>
> Not quite - anyone mandated to POSIX standards are effectively mandated to
> use the compromised algorithms, as I understand it.
>
>        mark

Well, regardless of my thoughts on the ethics of this situation and my opinion
about those who do these sorts of things, I have continued to research this
issue.  I have discovered that there is a great deal of literature respecting
the weakness of the RNG and PRNG processes implemented on headless hosts, in
particular headless hosts that are virtualised. Given the essential nature of
true random number generation to cryptographically secure key creation this 
represents a significant weak point on such hosts.

I am not going to reiterate or summarize any of this here because you can find
these discussions easily enough via Google.  However, I have developed a small
script to alleviate the problem to some degree based on the writings and works
of others.  This requires the epel repository be enabled:

#!/bin/bash
cat /proc/sys/kernel/random/entropy_avail
yum install dieharder haveged rng-tools -q -y
cat /etc/sysconfig/rngd
sed -i 's:EXTRAOPTIONS="":EXTRAOPTIONS="-r /dev/urandom":' /etc/sysconfig/rngd
cat /etc/sysconfig/rngd
chkconfig --level 2345 haveged on ; chkconfig --level 2345 rngd on
service haveged start ; service rngd start
cat /proc/sys/kernel/random/entropy_avail

This increased the mean amount of entropy present in /dev/random on the
systems I installed these packages on from ~176 bits to ~2048 bits.

I continue to look into other related matters.

-- 
***          E-Mail is NOT a SECURE channel          ***
James B. Byrne                mailto:ByrneJB at Harte-Lyne.ca
Harte & Lyne Limited          http://www.harte-lyne.ca
9 Brockley Drive              vox: +1 905 561 1241
Hamilton, Ontario             fax: +1 905 561 0757
Canada  L8E 3C3