harmony-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Endre Stølsvik <En...@stolsvik.com>
Subject Re: [classlib][security] RandomBitsSupplier.getRandomBits() on zOS
Date Fri, 11 Jan 2008 15:44:14 GMT
Oliver Deakin wrote:
> Endre Stølsvik wrote:
>> Envision a server that's booting up.
>> Playing the devils advocate here, assuming that no network activity 
>> happened before our java process started, what's really random with 
>> those three "seeds"?

>> Oliver Deakin wrote:
>>> I found that, although fairly simple, this produced a good variety of 
>>> seeds.
>> On a system that's already running, it might. On a system that is 
>> starting up, there will be _no_ variety in those three variables 
>> except for the time, and that isn't really "variable" either!
> Actually when I tested these values I launched the VM separately for 
> every run, so at least for the process time (and obviously system clock) 
> it was as if the system was starting up every time.

Not really - lots of other processes are then running, and you thus have 
some unpredictable elements in regard to _when you_ hit enter as opposed 
to which other processes are in the run queue, where they are, state, 
kernel threading, timeslices and pre-empting of processes, and whatnot.

How many times did you run your "reboot"?

Here's what I actually stated: Stick the JVM startup in a /etc/rc2.d/ 
script, WAY early in the boot sequence (in particular before the network 
is brought up, since that can introduce actual randomness due to 
latency, human intervention on other boxes in your network, name server 
delays, DHCP, whathaveyous), on a physical box (not running on 
virtualization, as that basically introduces the same problems as 
described as when running on an OS), sampling each of your values, and 
then appending them to a some log-file.

Now reboot the physical box 100 times (at least not only two). Check the 
values. Due to some possible randomness in regard to variation between 
e.g. two different clocks, or the angle of the disc in the hard disk 
when spinning up, or other such very limited sources of entropy, there 
might be more than one set of values that emerge - my point is that 
there might be _some_ such sets, but not plenty. Checking the actual bit 
patterns as opposed to decimal values also might reveal something. If 
you get the same value more than just once, the point is proven, I feel 
(obviously in comparison to how many bits of entropy you feel that you 
get out of these values).

This is actually very relevant in regard to a _server_, as in "web 
server", "application server" etc.


View raw message