From owner-freebsd-security@freebsd.org Mon Mar 13 22:06:49 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id F3B4ED0AD12; Mon, 13 Mar 2017 22:06:48 +0000 (UTC) (envelope-from steven@pyro.eu.org) Received: from manchester-1.man.uk.cluster.ok24.net (manchester-1.man.uk.cluster.ok24.net [IPv6:2001:41c8:51:40::1]) (using TLSv1.2 with cipher DHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 8FCD610BA; Mon, 13 Mar 2017 22:06:48 +0000 (UTC) (envelope-from steven@pyro.eu.org) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=simple/simple; d=pyro.eu.org; s=03a.2017; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:To:From:Date; bh=0eMPGR0r07agtR+D5OYSypU16xIjs1jYN8q0pWklGlw=; b=nKvWODKGiDrGyGEvxxTaoIgXD2LU6/va5aRQmo4uTVtRZPFzag5Id6cUGPpSkPg68lRHoMRoO+MbS0sZgLIqi1L3y9Z4NZ4/uns1XY+kktxWxAuvUZ0TZy3UDT11rHFlky5Q3Wji1fKnDzzUXmMlpFYztOfGOsdpD8i5tQrSw1FijYPb6lFj22+z4VIqYz/ZvvUcBwMOSnXyLQaCM6EIqZWmmmzmdfWxfVwQ0PoTk5BodWpvT4jANKHCNjMBX5c+Nn/2MGqVZlKSjgN3Oq9WWWouQUSz14cNdysMqKUEWHieCM3ZvVGDQ1tEnFAzsdf7hiXXtTC5S2djEuhjtOPTBA==; X-Spam-Status: No, score=-0.4 required=2.0 tests=BAYES_00, DKIM_ADSP_DISCARD, RP_MATCHES_RCVD Received: from guisborough-1.rcc.uk.cluster.ok24.net ([217.155.40.118] helo=smtp.ok24.net) by manchester-1.man.uk.cluster.ok24.net with esmtp (Exim 4.80) (envelope-from ) id 1cnY6x-0002Aq-Hc; Mon, 13 Mar 2017 22:06:45 +0000 Received: from kfreebsd-amd64.pyro.eu.org (kfreebsd-amd64.pyro.eu.org [IPv6:2a00:14f0:e033:2000::1]) by smtp.ok24.net (Postfix) with ESMTP id 7517F35021E; Mon, 13 Mar 2017 22:06:39 +0000 (GMT) Received: by kfreebsd-amd64.pyro.eu.org (Postfix, from userid 1000) id 6B15116B6; Mon, 13 Mar 2017 22:06:39 +0000 (GMT) Date: Mon, 13 Mar 2017 22:06:39 +0000 From: Steven Chamberlain To: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org Subject: Re: arc4random weakness (was: WikiLeaks CIA Exploits: FreeBSD References Within) Message-ID: <20170313220639.GB65190@pyro.eu.org> References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="E13BgyNx05feLLmH" Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.23 (2014-03-12) X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 13 Mar 2017 22:06:49 -0000 --E13BgyNx05feLLmH Content-Type: multipart/mixed; boundary="MW5yreqqjyrRcusr" Content-Disposition: inline --MW5yreqqjyrRcusr Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable =46rom this document (TOP SECRET//SI//NOFORN): https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%= 20v1.1%20TOP%20SECRET.pdf version 1.0 said: | 8. (S//NF) [...] If RC4 is used, at least the first 1024 | bytes of the cryptostream must be discarded and may not be used and that is exactly what FreeBSD's libc and in-kernel arc4random implementations do. version 1.1 received input from another agency: | (C//SI//REL FVEY) Coordinated with NSA/CES. and a new requirement was introduced: | (TS//SI) 5.9: Added additional information about proper use of RC4. | 9. (TS//SI) Further than stated above, if RC4 is used the first 3072 | bytes of the cryptostream must be discarded and may not be used. I think you should take that to mean, the NSA has, or suspects someone else to have, a practical attack on RC4 when being used as FreeBSD does currently. The document seems 4-5 years old already as it prohibits use of RC4 at all from 2014 onward. Please consider switching to ChaCha20 in the long term (kern/182610), but right now, at least increase the amount of early keystream that is discarded. Many thanks, Regards, --=20 Steven Chamberlain steven@pyro.eu.org --MW5yreqqjyrRcusr Content-Type: text/x-diff; charset=us-ascii Content-Disposition: attachment; filename="arc4random.patch" Content-Transfer-Encoding: quoted-printable diff -Nru a/head/lib/libc/gen/arc4random.c b/head/lib/libc/gen/arc4random.c --- a/head/lib/libc/gen/arc4random.c 2016-10-12 14:56:14.834409000 +0100 +++ b/head/lib/libc/gen/arc4random.c 2017-03-13 21:57:16.532833171 +0000 @@ -160,7 +160,7 @@ * Discard early keystream, as per recommendations in: * "(Not So) Random Shuffles of RC4" by Ilya Mironov. */ - for (i =3D 0; i < 1024; i++) + for (i =3D 0; i < 3072; i++) (void)arc4_getbyte(); arc4_count =3D 1600000; } diff -Nru a/head/sys/libkern/arc4random.c b/head/sys/libkern/arc4random.c --- a/head/sys/libkern/arc4random.c 2016-11-25 17:20:23.862538000 +0000 +++ b/head/sys/libkern/arc4random.c 2017-03-13 21:58:45.985402563 +0000 @@ -84,11 +84,11 @@ /* * Throw away the first N words of output, as suggested in the * paper "Weaknesses in the Key Scheduling Algorithm of RC4" - * by Fluher, Mantin, and Shamir. (N =3D 256 in our case.) + * by Fluher, Mantin, and Shamir. (N =3D 768 in our case.) * * http://dl.acm.org/citation.cfm?id=3D646557.694759 */ - for (n =3D 0; n < 256*4; n++) + for (n =3D 0; n < 768*4; n++) arc4_randbyte(arc4); =20 mtx_unlock(&arc4->mtx); --MW5yreqqjyrRcusr-- --E13BgyNx05feLLmH Content-Type: application/pgp-signature; name="signature.asc" Content-Description: Digital signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQGcBAEBCAAGBQJYxxftAAoJEIzTM2ydu2CcKWcMAIXfG+Y5afRIKbmT2f6htJVO Kj4YK+CqFYc81W05yGFb1xr9RilgDXzNrMNwrbkHn9NJERI5IO0FLtdVI+x1Iund Bokjj2ZkkdkPg72y4V3fAnrKNMFMAzScCWtYccwioWFNPL2NvOpnqQDIuEqQ5qNb xcvtkWcV9Vrh5dIdNn+9Bf21g/Dh4YJ5tKkY965Oi3Sg/1Ij4zM73Jy07j8TRIrL 8siWn195tWnvFMQo151v9VY74l9WcoNd1rgC9bceMGl2/UNAIcnm0j/W5TWTw6mq t8GvTxVQFSvYB2dL7fNNOhP6hSVSb74xC6Tic1tjZM+Okd5EzbW3/FbrcdNWoof1 ZBibe5/HF7I117ITwJ1N0qq5VWdLaAaNKkC7tUOm66lOSQvStZXQDAimnIzPJuke 65dbFDpi1Arr9eFf88uPazh26K2jIdcUGt9Cgeaat6uXFxRW0xAzX81Lo1Ci0Ymk e4S0fExy4fj+tzYcOcsy4zmqy1kzFMBRXM/wm1ToBA== =/kTf -----END PGP SIGNATURE----- --E13BgyNx05feLLmH--