Date: Mon, 29 Nov 1999 11:24:38 -0800 (PST) From: Kris Kennaway <kris@hub.freebsd.org> To: Dan Moschuk <dan@FreeBSD.ORG> Cc: Bruce Evans <bde@zeta.org.au>, Mike Smith <msmith@FreeBSD.ORG>, audit@FreeBSD.ORG, Warner Losh <imp@village.org> Subject: Re: cvs commit: src/sys/i386/conf files.i386 src/sys/kern kern_fork.c src/sys/libkern arc4random.c src/sys/sys libkern.h Message-ID: <Pine.BSF.4.21.9911291103500.51314-100000@hub.freebsd.org> In-Reply-To: <19991129105703.C277@spirit.jaded.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Mon, 29 Nov 1999, Dan Moschuk wrote: > After closer examination, it seems that we do have a part OpenBSD /dev/random > implementation hiding in sys/i386/isa/random_machdep.c (although it is a > few revisions out of date). Yep - the one in the Linux kernel is 1.06 or so of the same code (we have 0.95, OpenBSD 1.00). OpenBSD have essentially welded arc4random() to the output of read_random for their /dev/arandom, whereas we just hash whatever we can get from the entropy pool (possibly nothing) with MD5 until we fill the buffer, for /dev/urandom (/dev/random is just the MD5 hash of as much entropy as is present in both cases). It's been a while since I checked, but I think in Linux they (perhaps gratuitiously) use SHA1 instead of MD5. It looks like there have been some changes in the entropy-stirring and extraction mechanism in the underlying code, though, so it's probably worthwhile updating. Whether the arandom method is better than urandom is I guess open for debate :-) > As I've noted in private mail, I'm a little iffy on bringing Yarrow in as a > direct replacement at this time. The algorithm is still quite virgin, and > I think the matter will have to be researched more than "Bruce designed it, > it must be good" before a final decision is made. I don't know what Theodore Ts'o's credentials are, but I'm still much more inclined to trust the work of someone who does this stuff for a living than a part-time cryptographer. AFAIK no professional cryptographers have taken a serious look at "our" (Linux/Open/FreeBSD) PRNG and the effects of any random twiddles people may have done to them over time. > I think the code already has a decent fix around this. > > r = read_random(key, sizeof(key)); > for (n = r; n < sizeof(key); n++) > key[n] = key[n % r]; This only has r bits of entropy, not sizeof(key). Kris To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.9911291103500.51314-100000>