/dev/random, cryptographically yakachengeteka pseudo-random nhamba jenareta (CSPRNG), inozivikanwa kuva nedambudziko rimwe rinogumbura: kuvharira. Nyaya ino inotsanangura kuti ungazvipedza sei.
Mumwedzi mishoma yadarika, zvivakwa zvekugadzira nhamba mu kernel zvakagadziridzwa zvishoma, asi matambudziko mune iyi subsystem akagadziriswa pamusoro pekufamba kweiyo yakafara. . The most zvakaitwa kudzivirira getrandom () system call kubva pakuvhara kwenguva yakareba kana system boots, asi chikonzero cheichi chaive chekuvharira hunhu hwedziva risingaite. Chigamba chichangoburwa chingadai chakabvisa dziva iri uye raizotarisirwa kuti riende kumucheto mukuru.
Andy Lutomirski akaburitsa vhezheni yechitatu yechigamba pakupera kwaZvita. Anobatsira "kuchinja kukuru kwesemantic kune random Linux APIs". Chigamba chinowedzera mureza mutsva weGRND_INSECURE kune getrandom() system call (kunyangwe Lutomirsky ichireva se getentropy(), iyo inoshandiswa mu glibc uchishandisa getrandom() ine mireza yakatarwa); mureza uyu unokonzeresa kuti kufona nguva dzose kudzose huwandu hwe data yakakumbirwa, asi pasina kuvimbisa kuti iyo data haina kurongeka. Iyo kernel inongoita zvainogona kuburitsa yakanakisa random data yainayo panguva yakapihwa. "Zvichida chinhu chakanakisa kuita kudana kuti 'INSECURE' (kusachengeteka) kudzivirira API iyi kuti isashandiswe pazvinhu zvinoda kuchengetedzwa."
Zvigamba zvinobvisawo dziva rekuvhara. Iyo kernel parizvino inochengetedza maviri asina kurongeka data dziva, imwe inoenderana ne / dev / isina kujairika uye imwe ku / dev / urandom, sezvakatsanangurwa mune ino. 2015. Dziva rinovharira ndiro dziva re/dev/random; inoverenga kuti mudziyo unovhara (zvinoreva zita rayo) kusvika "zvakwana" entropy yaunganidzwa kubva kuhurongwa kugutsa chikumbiro. Kuwedzera kuverenga kubva kufaira iyi kwakavharwawo kana pasina entropy yakakwana mudziva.
Kubvisa dziva rekukiya kunoreva kuti kuverenga kubva ku/dev/random kunoita senge getrandom() ine mireza yakaiswa zero (uye inoshandura mureza weGRND_RANDOM kuita noop). Kamwe iyo cryptographic random number jenareta (CRNG) yatangwa, kuverenga kubva /dev/random uye kufona kune getrandom(...,0) haizovharidzi uye ichadzosa iyo yakakumbirwa yedata data.
Lutomirsky anoti: "Ini ndinotenda kuti dziva rekuvharisa Linux harichashandi. CRNG Linux inogadzira inobuda yakanaka zvekuti inogona kushandiswa kugadzirwa kiyi. Dziva rekuvharira harina kusimba mune chero chinhu uye rinoda hurongwa hwakawanda hwehukoshi husina chokwadi kuti hutsigire. "
Shanduko idzi dzakaitwa nechinangwa chekuona kuti zvirongwa zviripo hazvizokanganiswe, uye kutaura zvazviri, paizova nematambudziko mashoma nekumirira kwenguva refu zvinhu zvakaita seGnuPG key generation.
βZvikamu izvi hazvifanire kukanganisa zvirongwa zviripo. /dev/urandom inoramba isina kuchinjwa. /dev/random ichiri kuvharira pakarepo pabhoti, asi inovhara zvishoma kupfuura kare. getentropy() ine mireza iripo inodzosa mhedzisiro yakangokodzera kune zvinoshanda sepakutanga."
Lutomirsky akacherekedza kuti uchiri mubvunzo wakavhurika wekuti kernel inofanira kupa inodaidzwa kuti "nhamba dzechokwadi dzisina kujairika," izvo ndizvo izvo kernel inovhara yaifanirwa kuita kune imwe nhanho. Anoona chikonzero chimwe chete cheizvi: βkutevedzera zvinodiwa nehurumende.β Lutomirsky akakurudzira kuti kana kernel yaizopa izvi, inofanira kuitwa kuburikidza neyakasiyana zvachose interface, kana kuti inofanira kutamirwa munzvimbo yevashandisi, ichibvumira mushandisi kuti atore masampula ezviitiko zvinogona kushandiswa kugadzira dziva rekukiya rakadaro.
Stephan MΓΌller akakurudzira kuti seti yake yeLinux Random Number Generator (LRNG) (ikozvino vhezheni 26 yakaburitswa) inogona kunge iri nzira yekupa echokwadi manhamba asina kujairika kune anoida. LRNG "inoenderana zvizere neSP800-90B Mirayiridzo paEntropy Sources Inoshandiswa Kugadzira Random Bits," zvichiita kuti ive mhinduro kudambudziko remitemo yehurumende.
Matthew Garrett akapokana nezwi rekuti "yechokwadi isina kurongeka data," achiona kuti michina yakatorwa inogona kuenzanisirwa chaizvo kuti iite fungidziro: "hatisi kuenzanisa zviitiko zvehuwandu pano."
MΓΌller akapindura kuti izwi iri rinobva kuGerman standard AIS 31 kurondedzera isina kujairika nhamba jenareta inongoburitsa mhedzisiro "pamwero wakafanana neunobva pazasi ruzha sosi inoburitsa entropy."
Terminology misiyano padivi, kuve nekiyi dziva sezvakakurudzirwa neLRNG zvigamba zvinongotungamira kune akasiyana matambudziko, zvirinani kana yakawanikwa pasina ropafadzo.
Sezvo Lutomirsky akati: βIzvi hazvipedzi dambudziko. Kana vashandisi vaviri vakasiyana vakamhanyisa zvirongwa zvehupenzi senge gnupg, ivo vanozongodzvokorana. Ndiri kuona kuti parizvino kune matambudziko maviri makuru ne/dev/random: inotarirwa kuDoS (kureva kuderedzwa kwezviwanikwa, kufurira kwakashata kana chimwe chinhu chakafanana), uye sezvo pasina ropafadzo dzinodiwa kuti uishandise, zvakare inogona kushungurudzwa. Gnupg haina kururama, iko kuparara zvachose. Kana tikawedzera imwe itsva isina rusarura interface iyo gnupg uye mapurogiramu akafanana achashandisa, ticharasikirwa zvakare. "
Mueller akacherekedza kuti kuwedzererwa kwe getrandom() iko zvino kuchatendera GnuPG kushandisa iyi interface, sezvo ichizopa vimbiso inodiwa yekuti dziva ratanga. Zvichienderana nenhaurirano neGnuPG mugadziri Werner Koch, Mueller anotenda kuti vimbiso ndiyo yega chikonzero GnuPG parizvino inoverenga zvakananga kubva /dev/random. Asi kana paine chimiro chisina kurongeka chinogona kurambwa sevhisi (se/dev/random nhasi), Lutomirsky anopokana kuti ichashandiswa zvisizvo nemamwe maapplication.
Theodore Yue Tak Ts'o, mugadziri weLinux's random number subsystem, anoita kunge akachinja pfungwa dzake nezve kudiwa kwedziva rekuvharisa. Akataura kuti kubvisa dziva iri kwaizonyatso bvisa pfungwa yekuti Linux ine yechokwadi random nhamba jenareta (TRNG): "izvi hazvisi zvisina maturo, nekuti ndizvo chaizvo zvagara zvichiitwa neBSD."
Ane hanyawo kuti kupa TRNG michina inongoshanda sechirauro chevagadziri vekushandisa uye anotenda kuti chokwadi, kupihwa mhando dzakasiyana dzehardware dzinotsigirwa neLinux, hazvibviri kuvimbisa TRNG mukernel. Kunyangwe kugona kushanda nemidziyo chete nemaropafadzo emidzi hakugadzirise dambudziko: "Vagadziri veApplication vanotsanangura kuti application yavo iiswe semudzi wezvinangwa zvekuchengetedza, kuti ndiyo yega nzira yaunokwanisa kuwana iyo 'yakanaka chaizvo' nhamba dzisina kurongeka."
Mueller akabvunza kana Cao akasiya nzira yekuvharisa dziva iro iye pachake akanga ataura kare. Cao akapindura kuti anoronga kutora zvigamba zveLutomirsky uye anopikisa zvakasimba kuwedzera inovharira interface kudzokera kukernel.
"Kernel haigone kuita chero vimbiso yekuti kwacho ruzha rwakanyatsoratidzwa. Chinhu chega chinogona kuwanikwa neGPG kana OpenSSL kuvandudza kunzwa kusinganzwisisike kuti TRUERANDOM "iri nani", uye sezvo ivo vachida kuchengetedzwa kwakawanda, pasina mubvunzo vanoedza kuishandisa. Pane imwe nguva ichavharwa, uye kana mumwe mushandisi akangwara (zvichida nyanzvi yekugovera) akaiisa muinit script uye masisitimu akamira kushanda, vashandisi vanozongonyunyuta kuna Linus Torvalds pachake. "
Cao zvakare inotsigira kupa cryptographers uye avo vanonyatsoda TRNG nzira yekukohwa yavo entropy munzvimbo yemushandisi yekushandisa sezvavanoona zvakakodzera. Anoti kuunganidza entropy haisi nzira inogona kuitwa nekernel pane ese akasiyana Hardware ainotsigira, uye kernel pachayo haigone kufungidzira huwandu hwe entropy hwakapihwa neakasiyana masosi.
"Iyo kernel haifanirwe kunge ichisanganisa akasiyana masosi eruzha pamwe chete, uye haifanirwe kunge ichiedza kutaura kuti ingani ma bits eentropy yairi kuwana kana ichiedza kutamba imwe mhando ye"twitchy entropy mutambo" pane yakareruka CPU. mavakirwo evashandisi vevatengi. IOT/Embedded makesi uko zvese zvisiri kuwiriraniswa neine master oscillator, pasina kuraira kweCPU kurongedza kana kutumidza zita rerejista, nezvimwe.
"Unogona kutaura nezve kupa maturusi anoedza kuita masvomhu aya, asi zvinhu zvakadaro zvinofanirwa kuitwa pahardware yemushandisi wega wega, izvo zvisingaite kune vazhinji vashandisi vekugovera. Kana izvi zvakangoitirwa vanyori, saka ngazviitwe munzvimbo yavo yemushandisi. Uye ngatirege kurerutsa GPG, OpenSSL, zvichingodaro kuti munhu wese ati "tinoda "yechokwadi kusarongeka" uye hatigadzirise zvishoma. Tinogona kutaura nezve mabatiro atinoita maficha kune vanonyora ma cryptographs kuitira kuti vawane ruzivo rwavanoda nekuwana yekutanga ruzha masosi, akapatsanurwa uye nemazita, uye pamwe neimwe nzira sosi yeruzha inogona kuzviratidza kuraibhurari kana mushandisi nzvimbo yekushandisa. "
Paive neimwe nhaurirano nezvekuti chimiro chakadaro chingataridzika sei, sezvo semuenzaniso panogona kunge paine chengetedzo yezvimwe zviitiko. Cao akacherekedza kuti keyboard scan codes (kureva keystrokes) inosanganiswa mudziva sechikamu chekuunganidza entropy: "Kuunza izvi munzvimbo yemushandisi, kunyangwe kuburikidza nekufona system yakasarudzika, kungave kusachenjera kutaura zvishoma." Zvinogoneka kuti dzimwe nguva dzechiitiko dzinogona kugadzira imwe mhando yeruzivo rwekuburitswa kuburikidza nematanho ekudivi.
Saka zvinoita senge dambudziko renguva refu neLinux's random number subsystem iri munzira kuenda kumhinduro. Shanduko idzo dzakasarudzika nhamba subsystem dzakaitika nguva pfupi yadarika dzakangokonzera nyaya dzeDoS uchiishandisa. Ikozvino kune nzira dzinoshanda dzekuwana akanakisa asina kujairika manhamba anogona kupa kernel. Kana TRNG ichiri kudiwa paLinux, saka kukanganisa uku kuchada kugadziriswa mune ramangwana, asi kazhinji izvi hazvizoitwe mukati mekernel pachayo.
Dzimwe ads π
Ndinokutendai nekugara nesu. Unoda zvinyorwa zvedu here? Unoda kuona zvimwe zvinonakidza zvemukati? Titsigire nekuisa odha kana kukurudzira kushamwari, , yakasarudzika analogue yekupinda-level maseva, iyo yakagadzirwa nesu kuti iwe: (inowanikwa neRAID1 uye RAID10, kusvika ku24 cores uye kusvika ku40GB DDR4).
Dell R730xd 2 nguva yakachipa muEquinix Tier IV data center muAmsterdam? Chete pano muNetherlands! Dell R420 - 2x E5-2430 2.2Ghz 6C 128GB DDR3 2x960GB SSD 1Gbps 100TB - kubva pamadhora makumi mapfumbamwe nemapfumbamwe! Verenga nezve
Source: www.habr.com