1

Let's say you cat /dev/random or /dev/urandom all day from boot to system shutdown, either redirecting the output to a file, or just catting it (in a terminal, or whatever) doesn't matter. Is this insecure, or a bad idea? If so, why?

Revealing random bytes when the system (and/or the applications running on it, think e.g sudo - when changing a password, or a browser that needs to generate session keys, (..) ) Does this pose any threat/or increase any kind of risk on any level?

By the way: The system that uses these PRNGS are compromised. The adversary has root access to the system.

If it does not pose a risk, or "is not a bad idea", doesn't it make (even if the chance or amount is extremely small!) the PRNG in question more predictable?

William Martens
  • 177
  • 9
  • 1
    I think what you simply mean to mean to ask is if the output of a PRNG can be used to predict future ranges of random numbers generated by the system. If how the numbers are revealed doesn't matter, then let's remove that entire factor from the question. And the thing you do not state is that someone *else* gains access to it. (if no one does, then there is no danger) – schroeder Mar 19 '21 at 12:08
  • Well, Okay - will add that to my question, sorry forgot that completely - the system is compromised (the Adversary has root access) – William Martens Mar 19 '21 at 12:10
  • 1
    If they have unauthorised root access, the PRNG is meaningless ... – schroeder Mar 19 '21 at 12:12
  • How so? (Note I am asking only about how the security of the PRNG would be) (Shortly; (I am though - not really sure what you mean by meaningless) if we only focus on the PRNG (even if obviously - if the attacker has root on the system, he can do whatever he wants obviously - my question is about the security of the PRNG (How it could/would or will affect it - if it does) – William Martens Mar 19 '21 at 12:13
  • @schroeder Note; What I mean with doesn't matter - is obviously, you use a command (e.g **cat** or similar, to reveal the randomness, and what didn't matter was if you put in in a file r just catting it as output (so, I guess - the cat - output would be in ram? - if this is wrong, please **correct me**) – William Martens Mar 19 '21 at 12:23
  • As a example "risk" or "consequence" - wouldn't revealing random from a system, while it's generating crypto keys (or doing anything - csprn-related) - be considered a security risks For example, because - the random is in the clear, that was used for the generation - of the key(s)? (Am I wrong? If I am - please; point that out; I'm asking because of this) Example 2 would be, maybe he cats the randomness to a file (even if it gets really big, GB/TB) lets say he has disk space for it, and if he collects related info (latency,speed of things..etc) could the prng get insecure in any way? – William Martens Mar 19 '21 at 12:50
  • 1
    You use a PRNG to hide secrets. As root, you have access to everything. Including creating a new PRNG that allows you to predict future values ... – schroeder Mar 19 '21 at 12:58

2 Answers2

1

A secure CSPRNG, like the ones currently and historically used in Linux and most other Unix operating systems, should not leak information from its output. In other words, exposing part of its output (by running cat /dev/urandom) should not tell you anything about the rest of its output (used by other programs on the system).

Linux uses a frequently reseeded ChaCha20 stream cipher, and other Unix-like systems use Fortuna or Yarrow. All of these designs are constructed such that even if the state of the PRNG is exposed (which it could not be without access to the kernel), assuming the state stops being exposed and sufficient entropy is regained after that exposure, future outputs will become secure (unpredictable) once again.

Having said that, in general we assume if the attacker is root, that they can execute arbitrary code on the system, including in the kernel, and as such the state of the PRNG is compromised. That isn't necessarily true; for example, most distros configure their kernels such that if Secure Boot is used, the kernel is locked down and root cannot read or write arbitrary kernel memory or load untrusted modules. However, most folks working in security will assume that a root compromise implies a full system compromise including kernelspace.

If the attacker is not root, then the CSPRNG is probably secure.

bk2204
  • 7,828
  • 16
  • 15
0

Your question seems a bit self-contradictory to me, but let's take a crack at it.

Your core original question sounds like it boils down to "Given X bits of PRNG output, does the attacker have a better than 50% chance of guessing correctly bit X+1?" This is the standard definition of a cryptographically secure PRNG (CSPRNG), so as long as you're using an up to date linux kernel, then you're good.

However you added the update:

The system that uses these PRNGS are compromised. The adversary has root access to the system.

which is a totally different question. At that point, the attacker can dump kernel memory and read the internal registers of the Linux RNG (LRNG) -- aka the PRNG seed. With some cleverness they could also reset the LRNG internal registers back to a state where the attacker knows what the next X bits will be. If the attacker has root access then you're done. Game Over. Go home.

Mike Ounsworth
  • 57,707
  • 21
  • 150
  • 207