schoenLOYALTY.ORG

• Next message: Robert van der Meulen: "Remote access vulnerability in all MySQL server versions"
• Previous message: Torsten Landschoff: "Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0"
• In reply to: Ian Turner: "Re: Tempfile vulnerabilities"
• Next in thread: Peter Berendi: "Re: Tempfile vulnerabilities"
• Reply: Seth David Schoen: "Re: Tempfile vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Ian Turner writes:

> > Can be so easy to DoS cryptographic software?
>
> Yes. If you don't trust your users to not deplete the entropy, then don't
> give them permission to read it.

An intermediate possibility is to have multiple RNGs with multiple sources
of entropy, or multiple RNGs with entropy divided among them somehow, or
a single RNG which enforces a reasonable policy of some sort when multiple
processes want to access it at once.

Modern multiuser operating systems have solved all _kinds_ of problems around
concurrency and dealing with contention over a shared resource. There is
no reason that they should not be able to do exactly the same thing for an
entropy pool, if it becomes an issue.

--
Seth David Schoen <schoenloyalty.org>  | And do not say, I will study when I
Temp.  http://www.loyalty.org/~schoen/  | have leisure; for perhaps you will
down:  http://www.loyalty.org/   (CAF)  | not have leisure.  -- Pirke Avot 2:5

• Next message: Robert van der Meulen: "Remote access vulnerability in all MySQL server versions"
• Previous message: Torsten Landschoff: "Re: Debian (frozen): Perms on /usr/lib/libguile.so.6.0.0"
• In reply to: Ian Turner: "Re: Tempfile vulnerabilities"
• Next in thread: Peter Berendi: "Re: Tempfile vulnerabilities"
• Reply: Seth David Schoen: "Re: Tempfile vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]