/dev/random, jenereta yotetezedwa yachinsinsi yachinsinsi (CSPRNG), imadziwika kuti ili ndi vuto limodzi losautsa: kutsekereza. Nkhaniyi ikufotokoza mmene mungathetsere vutoli.
M'miyezi ingapo yapitayi, malo opangira manambala mwachisawawa mu kernel adakonzedwanso pang'ono, koma zovuta mu subsystem iyi zidathetsedwa pakupita kwanthawi yayitali. . Kwambiri adapangidwa kuti aletse foni ya getrandom () kuti isatsekeredwe kwa nthawi yayitali pomwe ma boot a system ayamba, koma chifukwa chachikulu cha izi chinali kutsekereza dziwe lachisawawa. Chigamba chaposachedwa chikadachotsa dziwe ili ndipo chikuyembekezeka kulowera pachimake chachikulu.
Andy Lutomirski adasindikiza mtundu wachitatu wa chigambacho kumapeto kwa Disembala. Iye amathandizira "zosintha ziwiri zazikulu za semantic ku Linux APIs mwachisawawa". Chigambacho chikuwonjezera mbendera yatsopano ya GRND_INSECURE ku foni ya getrandom() (ngakhale Lutomirsky amatchula kuti getentropy(), yomwe imayikidwa mu glibc pogwiritsa ntchito getrandom() yokhala ndi mbendera zokhazikika); mbendera iyi imapangitsa kuyimba kuti nthawi zonse kubweze kuchuluka kwa zomwe zafunsidwa, koma popanda kutsimikizira kuti detayo ndi yachisawawa. Kernel imangochita zonse zomwe ingathe kuti ipange zidziwitso zabwino kwambiri zomwe ili nazo panthawi yake. "Mwina chinthu chabwino kuchita ndikuchitcha 'INSECURE' (osatetezeka) kuti API iyi isagwiritsidwe ntchito pazinthu zomwe zimafunikira chitetezo."
Zigambazo zimachotsanso dziwe lotsekera. Kernel pakadali pano imakhala ndi maiwe awiri osasinthika, imodzi yofanana ndi / dev/random ndi inayo / dev/urandom, monga tafotokozera mu izi. 2015. Dziwe lotsekera ndilo dziwe la /dev/random; amawerenga kuti chipangizocho chidzatsekereza (kutanthauza dzina lake) mpaka "zokwanira" entropy itasonkhanitsidwa kuchokera kudongosolo kuti ikwaniritse pempholo. Kuwerenga kwina kuchokera pafayiloyi kumatsekedwanso ngati palibe entropy yokwanira mu dziwe.
Kuchotsa dziwe lotsekera kumatanthauza kuti kuwerenga kuchokera ku / dev/chisawawa kumachita ngati getrandom() yokhala ndi mbendera zoyikidwa ziro (ndikusintha mbendera ya GRND_RANDOM kukhala noop). Makina opanga manambala a cryptographic (CRNG) akakhazikitsidwa, kuwerenga kuchokera /dev/mwachisawawa ndikuyimba foni kupita ku getrandom(...,0) sikungatseke ndipo kubweza kuchuluka komwe kwafunsidwa kwachisawawa.
Lutomirsky akuti: "Ndikukhulupirira kuti dziwe lotsekera la Linux latha. CRNG Linux imapanga zotulutsa zomwe ndi zabwino zokwanira kuti zigwiritsidwe ntchito pakupanga makiyi. Dziwe lotsekereza silikhala lamphamvu mwanjira iliyonse ndipo limafuna zida zambiri zamtengo wokayikitsa kuti zithandizire. β
Zosinthazo zidapangidwa ndi cholinga chowonetsetsa kuti mapulogalamu omwe alipo sangakhudzidwe kwenikweni, ndipo kwenikweni, padzakhala zovuta zochepa ndikudikirira kwanthawi yayitali zinthu monga GnuPG key generation.
"Zigawozi siziyenera kusokoneza mapulogalamu omwe alipo. /dev/urandom imakhalabe yosasinthika. /dev/mwachisawawa imatsekabe nthawi yomweyo pa boot, koma imatchinga mocheperapo kuposa kale. getentropy() yokhala ndi mbendera zomwe zilipo zibweretsa zotsatira zomwe zili zoyenera pazolinga zenizeni monga kale. "
Lutomirsky adanenanso kuti akadali funso lotseguka ngati kernel iyenera kupereka zomwe zimatchedwa "manambala enieni osasintha," zomwe ndi zomwe kernel yotsekereza imayenera kuchita pamlingo winawake. Amaona chifukwa chimodzi chokha cha izi: βkutsata miyezo ya boma.β Lutomirsky adanena kuti ngati kernel ikupereka izi, ziyenera kuchitidwa kudzera mu mawonekedwe osiyana kwambiri, kapena ziyenera kusunthira kumalo ogwiritsira ntchito, kulola wogwiritsa ntchito kupeza zitsanzo za zochitika zosaphika zomwe zingagwiritsidwe ntchito popanga dziwe lotsekera.
Stephan MΓΌller adapereka lingaliro lake ya Linux Random Number Generator (LRNG) (yomwe pano yatulutsidwa 26) ikhoza kukhala njira yoperekera manambala enieni osasinthika kwa mapulogalamu omwe akufunika. LRNG "imagwirizana kwathunthu ndi Malangizo a SP800-90B pa Entropy Sources Zogwiritsidwa Ntchito Kupanga Ma Bits Mwachisawawa," zomwe zimapangitsa kuti ikhale yankho ku vuto la miyezo ya boma.
Matthew Garrett anatsutsa mawu oti "chidziwitso chowona mwachisawawa," ponena kuti zida zomwe zidatengedwa zitha kusinthidwa bwino kuti zidziwike kuti: "Sitikutengera kuchuluka kwa zochitika pano."
MΓΌller adayankha kuti mawuwa amachokera ku German standard AIS 31 kufotokoza jenereta yachisawawa yomwe imangotulutsa zotsatira "pamlingo womwewo womwe gwero la phokoso limatulutsa entropy."
Kusiyanitsa kwa mawu pambali, kukhala ndi dziwe lokhoma monga momwe zigamba za LRNG zimangobweretsera mavuto osiyanasiyana, makamaka ngati zitapezeka popanda mwayi.
Monga Lutomirsky anati: βIzi sizithetsa vuto. Ngati ogwiritsa ntchito awiri osiyana amayendetsa mapulogalamu opusa ngati gnupg, amangothamangitsana. Ndikuwona kuti pakali pano pali zovuta ziwiri zazikulu ndi / dev/random: ndizosavuta ku DoS (ie kutha kwa zinthu, kukopa koyipa kapena zina zofananira), ndipo popeza palibe mwayi wofunikira kugwiritsa ntchito, imakondanso kuzunzidwa. Gnupg ndiyolakwika, ndikugwa kwathunthu. Ngati tiwonjezera mawonekedwe atsopano opanda mwayi omwe gnupg ndi mapulogalamu ofanana adzagwiritsa ntchito, tidzatayanso. "
Mueller adanenanso kuti kuwonjezera kwa getrandom() tsopano kulola GnuPG kugwiritsa ntchito mawonekedwewa, chifukwa ipereka chitsimikizo chofunikira kuti dziwe lakhazikitsidwa. Kutengera pazokambirana ndi wopanga GnuPG Werner Koch, Mueller amakhulupirira kuti chitsimikizo ndi chifukwa chokhacho chomwe GnuPG imawerengera mwachindunji kuchokera ku /dev/random. Koma ngati pali mawonekedwe osasamala omwe amatha kukana ntchito (monga / dev/random lero), Lutomirsky akutsutsa kuti idzagwiritsidwa ntchito molakwika ndi mapulogalamu ena.
Theodore Yue Tak Ts'o, wopanga manambala ang'onoang'ono a Linux, akuwoneka kuti wasintha malingaliro ake pakufunika kwa dziwe lotsekereza. Anati kuchotsa dziweli kuthetseratu lingaliro lakuti Linux ili ndi jenereta yeniyeni yeniyeni (TRNG): "izi sizopanda pake, chifukwa izi ndi zomwe *BSD yakhala ikuchita nthawi zonse."
Akudanso kuti kupereka njira ya TRNG kumangokhala nyambo kwa opanga mapulogalamu ndipo amakhulupirira kuti, chifukwa cha mitundu yosiyanasiyana ya hardware yomwe imathandizidwa ndi Linux, ndizosatheka kutsimikizira TRNG mu kernel. Ngakhale kuthekera kogwira ntchito ndi zida kokha ndi mwayi wa mizu sikungathetse vutoli: "Opanga mapulogalamu anena kuti mapulogalamu awo akhazikitsidwe ngati maziko achitetezo, kotero kuti iyi ndi njira yokhayo yomwe mungapezere manambala 'abwino kwambiri' osasinthika."
Mueller adafunsa ngati Cao adasiya kukhazikitsa dziwe lotsekereza lomwe iye adafuna kwa nthawi yayitali. Cao adayankha kuti akufuna kutenga zigamba za Lutomirsky ndikutsutsa mwamphamvu kuwonjezera mawonekedwe otsekereza kubwerera ku kernel.
"Khora silingatsimikizire ngati phokoso lidadziwika bwino. Chokhacho chomwe wopanga GPG kapena OpenSSL angapeze ndikumverera kosamveka kuti TRUERANDOM ndi "bwino", ndipo popeza akufuna chitetezo chochulukirapo, mosakayika adzayesa kuchigwiritsa ntchito. Nthawi ina idzatsekedwa, ndipo pamene wogwiritsa ntchito wina wanzeru (mwina katswiri wogawa) ayika mu init script ndipo makina amasiya kugwira ntchito, ogwiritsa ntchito adzangodandaula kwa Linus Torvalds mwiniwake. "
Cao imalimbikitsanso kupatsa olemba ma cryptographer ndi iwo omwe amafunikira TRNG njira yokololera okha entropy mu malo ogwiritsa ntchito momwe angafunire. Akuti kusonkhanitsa entropy si njira yomwe imatha kuchitidwa ndi kernel pamitundu yonse yosiyanasiyana yomwe imathandizira, komanso kernel yokhayo siyingayerekeze kuchuluka kwa entropy komwe kumaperekedwa ndi magwero osiyanasiyana.
"Kereni sikuyenera kusakaniza magwero osiyanasiyana a phokoso palimodzi, ndipo sikuyenera kuyesera kunena kuti ikudziwa kuchuluka kwa ma entropy yomwe ikupeza pamene ikuyesera kusewera mtundu wina wa" masewero a "twitchy entropy" pa CPU yosavuta kwambiri. Zomangamanga za ogwiritsa ntchito. IOT/Zomwe zili mkati zomwe zonse sizikulumikizana ndi master oscillator imodzi, pomwe palibe malangizo a CPU oti akonzenso kapena kutcha dzina lolembetsa, ndi zina zambiri.
"Mutha kulankhula za kupereka zida zomwe zimayesa kuwerengera izi, koma zinthu zotere ziyenera kuchitika pazida za aliyense wogwiritsa ntchito, zomwe sizothandiza kwa ogwiritsa ntchito ambiri. Ngati izi zimangopangidwira olemba ma cryptographer, ndiye kuti zichitike pamalo awo ogwiritsa ntchito. Ndipo tisamachepetse GPG, OpenSSL, ndi zina zotero kuti aliyense azinena kuti "tikufuna "mwachisawawa chenicheni" ndipo osakhazikika pang'ono. Titha kulankhula za momwe timaperekera zolumikizira kwa olemba ma cryptographer kuti athe kupeza zambiri zomwe akufunikira popeza magwero a phokoso, olekanitsidwa ndi kutchulidwa, ndipo mwina mwanjira inayake gwero la phokoso lingathe kudzitsimikizira lokha ku laibulale kapena kugwiritsa ntchito malo ogwiritsira ntchito. "
Panali zokambirana za momwe mawonekedwe otere angawonekere, popeza mwachitsanzo pakhoza kukhala zokhuza chitetezo pazochitika zina. Cao adanenanso kuti makina ojambulira kiyibodi (ie makiyi) amasakanizidwa mu dziwe ngati gawo la zosonkhanitsa za entropy: "Kubweretsa izi kumalo ogwiritsira ntchito, ngakhale kudzera pa foni yam'manja, sikungakhale kwanzeru kunena pang'ono." Ndizotheka kuti nthawi zina zazochitika zitha kutulutsa mtundu wina wa chidziwitso kudzera munjira zam'mbali.
Chifukwa chake zikuwoneka ngati vuto lomwe lakhalapo kwakanthawi ndi nambala yachisawawa ya Linux ili m'njira yothetsera. Kusintha komwe kachitidwe kakang'ono ka manambala kwachitika posachedwa kwangobweretsa zovuta za DoS mukugwiritsa ntchito. Tsopano pali njira zabwino zopezera manambala abwino kwambiri omwe kernel angapereke. Ngati TRNG ikadali yofunikira pa Linux, ndiye kuti cholakwika ichi chidzayankhidwa mtsogolo, koma mwina izi sizingachitike mkati mwa kernel yokha.
Zotsatsa zina π
Zikomo chifukwa chokhala nafe. Kodi mumakonda zolemba zathu? Mukufuna kuwona zambiri zosangalatsa? Tithandizeni potipatsa oda kapena kulimbikitsa anzathu, , ma analogi apadera a ma seva olowera, omwe adakupangirani inu: (ikupezeka ndi RAID1 ndi RAID10, mpaka 24 cores mpaka 40GB DDR4).
Dell R730xd 2x yotsika mtengo ku Equinix Tier IV data center ku Amsterdam? Pokhapokha ku Netherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - kuchokera $99! Werengani za
Source: www.habr.com