August 18, 2003

Unix/Linux Keystroke Information Disclosure Weakness

A weakness has been discovered in the entropy pool implemented by the /dev/random device on various Unix-derived operating systems. The problem occurs
when the pool has been emtpied, and the entropy mechanism begins to the seed the pool with a source of pseudo-random data.
It has been discovered that due to keystrokes from the console being a source of seeding the entropy pool, it may be possible for an attacker to
deduce a user's keystrokes who is physically present at the console. This is possible due to predictable timing sequences used when a keyboard is
used, as well as largely differing seeding times when accessing different seeding mechanisms.
A conclusive list of affected systems is not available at this time.



  • Security
Click Here!