RNG: is it possible to spoil /dev/random by seeding it from (evil) TRNGs (was: howto secure older keys after the recent attacks)

[David Shaw]

On Oct 8, 2012, at 6:20 PM, Christoph Anton Mitterer <christoph.anton.mitterer at physik.uni-muenchen.de> wrote:

> Hi David.
> 
> Long time ago, the following[0] ;)
> 
> I recently stumbled across that question again,... when I deployed
> haveged on our faculty's HPC cluster...
> So I've asked[1] around at lkml, whether a malicious (or just bad)
> entropy source could spoil the kernel's RNG.
> 
> Ted Ts'o, who currently maintains that part said (see the thread) he
> wouldn't know any way how that could be done, but...
> 
> 
> On Thu, 2009-09-10 at 22:35 -0400, David Shaw wrote:
>>> 3) One problem with such devices is,.. that one can never know (well  
>>> at
>>> least normal folks like me) how good they actually are.
>>> If this company would be evil (subsidiary of NSA or so) they could  
>>> just
>>> sell bad devices that produce poor entropy thus rendering our  
>>> (symmetric
>>> and asymmetric) keys, signatures etc. "useless". Right?
>> 
>> Not completely useless given the Linux random design, but certainly an  
>> evil source of entropy would be a serious problem.  Do you have any  
>> reason to believe this device is evil?  There are many random number  
>> generators on the market.  Knowing which ones are evil would be handy ;)
> ... your reply seems to somehow imply that it could...
> 
> So he (and I) wondered for the reasons :)

The message is from three years ago, so I'm honestly not sure where I was going with that thought at the time.  Most likely, I was thinking about someone using an evil device for entropy directly rather than through a /dev/random that deals with the evil source case.

To be clear: I do not know of some way an evil input can somehow subvert the output of /dev/random on Linux.  My understanding was that it was designed to prevent that.

David