Open Stack

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/13/2014 08:57 AM, Jarret Raim wrote:
> All,
> 
> 
> I¹d be concerned about making this change. Fundamentally, the os 
> /dev/urandom is cryptographically secure while creating a 
> cryptographically secure PRNG is actually quite difficult,
> especially one built on PyCrypto which is a non-verified code
> base.
> 
> In the case of /dev/urandom, it seeds from the internal pool that
> also supplies /dev/random. Once this seeding is complete, urandom
> can be relied upon to supply random data without blocking or
> exhaustion problems. The only time when there could be an issue is
> shortly after boot before the kernel has generated enough entropy
> to sufficiently seed urandom.
> 
> This problem seems unlikely to appear in most OpenStack deployments
> and is the same problem one would have to solve to adequately seed
> the PyCrypto PRNG anyway.
> 
> Barbican has been thinking about exposing a /random resource that
> would allow any user (no auth required) to pull a block of truly
> random data from the HSMs for any case where someone would need it.
> We¹ve been on the fence as the actual use cases seem nonexistent at
> the moment, but it is an option for the future if we need it.
> 
> In short - we can probably leave the code the way it is.
> 
> 
> Jarret

Just a heads up, you aren't the only people with this problem:

https://bugzilla.redhat.com/show_bug.cgi?id=786408
[RFE] Need ability to configure system entropy source for qemu

https://bugzilla.redhat.com/show_bug.cgi?id=786407
[RFE] Add ability to pull system entropy from host

So it's been solved to some degree, Steve Grubb sgrubb at redhat.com is
definitely the guy to talk to about this if you want some help. (CC'ed).


- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBAgAGBQJS1DgTAAoJEBYNRVNeJnmTwyQP/RaJVU/SxtJbZsSsGO0j2rVv
3no4m3QZGeQRTpJGsF/6OpoMqeI7WrADRdKAiqT019aLOhqcM+P7ZzD8oLGll4dH
e+Glk62T1KT9wL4bremiFI0MwIxnf0gDmYYSrBdhDhS+nm0JBZNG3zpNIU5TglNh
emeRtf4Q4DYF2y4ZJBASHafzU5hMH3Z8iNA1QlZVYhMxQjM3SJCz8HjjQbdUnry7
8UHS2y18s5odqO3ibVUpZjEvO6fr/A1yb4PveUN4Jsw2NBi10WlgHehA1HUl/Bc+
nxfGPwhjaGjyZH8xG7xbTdacQpwZzlqj/U1o6p3UFJ6jfzr75ON1FDdOgci+7glY
72DobZfbcqojRek5WdAbVPYECr8LrlIKl0v4YUHUQ8DlZQs3ecryLUm/F5ynf9Ht
Darg2XgPcr90KoYsLlg/NQSZeRFl+u2nyhvxVWCQLFG7K2meCeEKh+2oM6XcK6U/
51i2i0rT+iS7PiCgecBWN0B1fMgtmntFmYs2U8Hv1GNGwjSL/LI494BkIbEYjRWN
9r/sBa9QMEceV/UaGVuZ0BmPzAGzo2yhYfGqcXn1JH3q9f4u8tQhRvqPgVhB3AWQ
o91ipO8JJKEx68DxpJButarbyFjtkC7dTrdxpt9+Cs/wVjTrMQdRaA1p03Bcx6sy
qpuNu87aop6QY/kjZeHc
=qQ8M
-----END PGP SIGNATURE-----