Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 2 Mar 2005 02:06:25 -0800
From:      "Ted Mittelstaedt" <tedm@toybox.placo.com>
To:        "Loren M. Lang" <lorenl@alzatex.com>
Cc:        Kris Kennaway <kris@obsecurity.org>
Subject:   RE: /dev/io , /dev/mem : only used by Xorg?
Message-ID:  <LOBBIFDAGNMAMLGJJCKNKEKAFAAA.tedm@toybox.placo.com>
In-Reply-To: <20050302051151.GC30896@alzatex.com>

next in thread | previous in thread | raw e-mail | index | archive | help


> -----Original Message-----
> From: owner-freebsd-questions@freebsd.org
> [mailto:owner-freebsd-questions@freebsd.org]On Behalf Of Loren M. Lang
> Sent: Tuesday, March 01, 2005 9:12 PM
> To: Ted Mittelstaedt
> Cc: FreeBSD questions; Loren M. Lang; Rob; Kris Kennaway
> Subject: Re: /dev/io , /dev/mem : only used by Xorg?
>
>
> I don't seem to have rndcontrol on 5.3, is that an old command?
>

I think you missed the back and forth on this between me and Kris?

answer, no - the random device in 5.3 was rewritten to probe for
ethernet and other random irq's

> >
> > Another strange thing is that /dev/random should block when it
> > runs out of entropy - it doesen't seem to do so, however.  And the
> > device doesen't seem to gain entropy that quickly.
>
> Then how is /dev/random differ from /dev/urandom?
>

The current philosophy in random devices is to make both of these be
the same, and use a better random number generator that generates random
numbers faster, thus removing the need for separate devices.

Here is a section of the readme from the Solaris patch 112439-02 which
adds a
random device to Solaris 2.6, it illustrates the typical older behavior
of the two devices:

     Applications retrieve random bytes by reading /dev/random or
     /dev/urandom. The /dev/random interface returns random bytes
     only when sufficient amount of entropy has  been  collected.
     If  there  is  no entropy to produce the requested number of
     bytes,  /dev/random  blocks  until  more  entropy   can   be
     obtained.  Non-blocking  I/O mode can be used to disable the
     blocking behavior. The /dev/random interface  also  supports
     poll(2). Note that using poll(2) will not increase the speed
     at which random numbers can be read.

     Bytes retrieved from /dev/random provide the highest quality
     random numbers produced by the generator, and can be used to
     generate  long  term  keys  and  other  high  value   keying
     material.

     The  /dev/urandom interface returns bytes regardless of  the
     amount  of  entropy  available.  It does not block on a read
     request due to lack of entropy. While bytes produced by  the
     /dev/urandom  interface are of lower quality than bytes pro-
     duced by /dev/random, they are nonetheless suitable for less
     demanding  and shorter term cryptographic uses such as short
     term session keys, paddings, and challenge strings.

You see, the problem with this from an application developers perspective
is that if you are designing an app that MUST only use high quality
random numbers, then you have to read /dev/random not /dev/urandom -
but if /dev/random's prng runs out of randomness, it will block, thus
your application hangs until it unblocks.  If you try to get around that
by reading in nonblocking mode then your app won't hang, but you will
get an error when the device runs out of numbers and you try to keep
reading it.  Thus your app will still have to set waiting around for
more numbers.  /dev/urandom allowed app developers to ignore all that
because then the /dev/urandom device runs out of random numbers it
just gives non-random numbers - while this of course makes your app
insecure, most app developers don't give a shit since their customers
don't know any better.

FreeBSD did away with the blocking in /dev/random because a number of
app developers didn't understand I/O and the FreeBSD core group got
tired of hearing the complaints - reasoning (correctly) that if the
app developer didn't bother to understand anything about random number
generators then it didn't make any difference if the device fed them
non-random numbers on occasion.

> >
> > The FreeBSD random device is a port of the same Linux code.
>
> I'm pretty sure that the linux code is GPLed, and I'd expect that
> FreeBSD uses a BSD version.  Are they actually from the same code?
>

Yes they are.  However the author of the code, Theodore Ts'o, was well
aware of the problems of GPL when he wrote it, and released the code
with effectively 2 licenses, one BSD the other GPL.

Of course Linux people subsequently applied the GPL to their version
but that doesen't affect us, see the file /usr/src/sys/kern/kern_random.c
in FreeBSD 4.

There is at least one other random device that was written for Solaris
that uses this code also.  (andi's SUNrand) I also strongly suspect that
Sun
used this code in their patch 112439 since my testing of the Sun device
and the
FreeBSD device showed they fell down almost the same way.

The 5.X random generator is a different animal, it is based on the
Yarrow prng as well as more sensible hardware detection and use.

Keep in mind that until 1995 when everyone started using UNIX servers
for running SSL webservers on the Internet, almost nobody gave a damn
about needing a random device under UNIX or any other operating system.

>
> Every doc I've heard of using prng on linux always suggests that the
> native entropy source is better?  Is this because the linux version has
> better hooks in the kernel and always uses interrupts as a source?
>

The docs your reading are wrong or not really telling the whole story.

For starters it isn't possible in a computer to get a source of
randomness by just looking at interrupts, that will generate
random numbers as fast as they are needed.  Random devices (ideally)
use interrupts as inputs to pseudorandom number generators
(prngs) which are able to generate much larger quantities of random
numbers
at a much higher rate of speed.  So it still boils down to who has
the best algorithm for the prng.

if the native random device uses a simple prng that cannot generate
random numbers as fast as needed, even if the inputs to it are random,
such as an interrupts, then it isn't going to be as good as a
non-native prng that uses the same random inputs and uses a better
algorithm.

Ted



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?LOBBIFDAGNMAMLGJJCKNKEKAFAAA.tedm>