From owner-freebsd-audit Mon Nov 29 11:24:39 1999 Delivered-To: freebsd-audit@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 758) id 437BA1529C; Mon, 29 Nov 1999 11:24:38 -0800 (PST) Received: from localhost (localhost [127.0.0.1]) by hub.freebsd.org (Postfix) with ESMTP id 310ED1CD621; Mon, 29 Nov 1999 11:24:38 -0800 (PST) (envelope-from kris@hub.freebsd.org) Date: Mon, 29 Nov 1999 11:24:38 -0800 (PST) From: Kris Kennaway To: Dan Moschuk Cc: Bruce Evans , Mike Smith , audit@FreeBSD.ORG, Warner Losh Subject: Re: cvs commit: src/sys/i386/conf files.i386 src/sys/kern kern_fork.c src/sys/libkern arc4random.c src/sys/sys libkern.h In-Reply-To: <19991129105703.C277@spirit.jaded.net> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-audit@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Mon, 29 Nov 1999, Dan Moschuk wrote: > After closer examination, it seems that we do have a part OpenBSD /dev/random > implementation hiding in sys/i386/isa/random_machdep.c (although it is a > few revisions out of date). Yep - the one in the Linux kernel is 1.06 or so of the same code (we have 0.95, OpenBSD 1.00). OpenBSD have essentially welded arc4random() to the output of read_random for their /dev/arandom, whereas we just hash whatever we can get from the entropy pool (possibly nothing) with MD5 until we fill the buffer, for /dev/urandom (/dev/random is just the MD5 hash of as much entropy as is present in both cases). It's been a while since I checked, but I think in Linux they (perhaps gratuitiously) use SHA1 instead of MD5. It looks like there have been some changes in the entropy-stirring and extraction mechanism in the underlying code, though, so it's probably worthwhile updating. Whether the arandom method is better than urandom is I guess open for debate :-) > As I've noted in private mail, I'm a little iffy on bringing Yarrow in as a > direct replacement at this time. The algorithm is still quite virgin, and > I think the matter will have to be researched more than "Bruce designed it, > it must be good" before a final decision is made. I don't know what Theodore Ts'o's credentials are, but I'm still much more inclined to trust the work of someone who does this stuff for a living than a part-time cryptographer. AFAIK no professional cryptographers have taken a serious look at "our" (Linux/Open/FreeBSD) PRNG and the effects of any random twiddles people may have done to them over time. > I think the code already has a decent fix around this. > > r = read_random(key, sizeof(key)); > for (n = r; n < sizeof(key); n++) > key[n] = key[n % r]; This only has r bits of entropy, not sizeof(key). Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message