LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Dividing the Linux desktop

LWN.net Weekly Edition for June 13, 2013

A report from pgCon 2013

Little things that matter in language design

LWN.net Weekly Edition for June 6, 2013

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Not detected by testing

Not detected by testing

Posted May 15, 2008 0:32 UTC (Thu) by erich (subscriber, #7127)
In reply to: Not detected by testing by endecotp
Parent article: Cryptographic weakness on Debian systems 

Note that we're talking about the seeding here. The seeding was pretty much done only by the
PID. If you had done a test suite, it would have been very unlikely you had detected a
dependency on the PID except by doing like 32k runs until the same PID is used again.
Even if you had been testing the RNG separately from all other stuff that would seem pretty
much overkill to do some 32k runs of the test app and compare the results for duplicates or
similarities.

(Log in to post comments)

Not detected by testing

Posted May 15, 2008 13:19 UTC (Thu) by kevinbsmith (guest, #4778) [Link] 

How about a test that generates two keys in a row, within the same process, and makes sure
they are not identical to each other. If salt is involved, take that into account rather than
doing a bitwise comparison.

That seems like a pretty reasonable test at the library level, to ensure the key really is a
key and not a buffer full of zeros.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds