From owner-freebsd-current  Wed Jul 26 15:10:29 2000
Delivered-To: freebsd-current@freebsd.org
Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21])
	by hub.freebsd.org (Postfix) with ESMTP
	id AD70037C3BC; Wed, 26 Jul 2000 15:10:26 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
Received: from localhost (kris@localhost)
	by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id PAA86293;
	Wed, 26 Jul 2000 15:10:25 -0700 (PDT)
	(envelope-from kris@FreeBSD.org)
X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs
Date: Wed, 26 Jul 2000 15:10:25 -0700 (PDT)
From: Kris Kennaway <kris@FreeBSD.org>
To: void <float@incandescent.firedrake.org>
Cc: current@FreeBSD.ORG
Subject: Re: randomdev entropy gathering is really weak
In-Reply-To: <20000726203413.A32392@firedrake.org>
Message-ID: <Pine.BSF.4.21.0007261455100.2649-100000@freefall.freebsd.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Wed, 26 Jul 2000, void wrote:

> How does OpenBSD handle this issue?  Anyone know?

It looks like they have four different kernel-exported random-number
generators:

#define RND_RND         0       /* real randomness like nuclear chips */
#define RND_SRND        1       /* strong random source */
#define RND_URND        2       /* less strong random source */
#define RND_PRND        3       /* pseudo random source */
#define RND_ARND        4       /* aRC4 based random number generator */

RND_RND is not implemented.

/dev/random (RND_SRND) and /dev/urandom (RND_URND) are very similar to our
old system (based on the same code, in fact, and also used in Linux)
although OpenBSD use more entropy sources than us.

/dev/prandom (RND_PRND): This just returns the output of random() (Why
bother?)

/dev/arandom (RND_ARND): This uses the arc4 stream cipher to output a
stream of bytes based on an internal key, which is periodically (but I
don't know how often) reseeded using entropy samples. Much like
arc4random(), except it's periodically reseeded (which arc4random()
doesn't do, by default).

All of these systems have weaknesses (some serious), even if entropy is
estimated accurately (there were indications it was not, for our old
PRNG). That was the main motivation for moving to a cryptographically
well-designed system (Yarrow).

Kris

--
In God we Trust -- all others must submit an X.509 certificate.
    -- Charles Forsythe <forsythe@alum.mit.edu>



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message