Date: Wed, 26 Jul 2000 15:10:25 -0700 (PDT) From: Kris Kennaway <kris@FreeBSD.org> To: void <float@incandescent.firedrake.org> Cc: current@FreeBSD.ORG Subject: Re: randomdev entropy gathering is really weak Message-ID: <Pine.BSF.4.21.0007261455100.2649-100000@freefall.freebsd.org> In-Reply-To: <20000726203413.A32392@firedrake.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 26 Jul 2000, void wrote:
> How does OpenBSD handle this issue? Anyone know?
It looks like they have four different kernel-exported random-number
generators:
#define RND_RND 0 /* real randomness like nuclear chips */
#define RND_SRND 1 /* strong random source */
#define RND_URND 2 /* less strong random source */
#define RND_PRND 3 /* pseudo random source */
#define RND_ARND 4 /* aRC4 based random number generator */
RND_RND is not implemented.
/dev/random (RND_SRND) and /dev/urandom (RND_URND) are very similar to our
old system (based on the same code, in fact, and also used in Linux)
although OpenBSD use more entropy sources than us.
/dev/prandom (RND_PRND): This just returns the output of random() (Why
bother?)
/dev/arandom (RND_ARND): This uses the arc4 stream cipher to output a
stream of bytes based on an internal key, which is periodically (but I
don't know how often) reseeded using entropy samples. Much like
arc4random(), except it's periodically reseeded (which arc4random()
doesn't do, by default).
All of these systems have weaknesses (some serious), even if entropy is
estimated accurately (there were indications it was not, for our old
PRNG). That was the main motivation for moving to a cryptographically
well-designed system (Yarrow).
Kris
--
In God we Trust -- all others must submit an X.509 certificate.
-- Charles Forsythe <forsythe@alum.mit.edu>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0007261455100.2649-100000>