From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 20:42:18 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 30A8BC84; Fri, 18 Jul 2014 20:42:18 +0000 (UTC) Received: from dmz-mailsec-scanner-2.mit.edu (dmz-mailsec-scanner-2.mit.edu [18.9.25.13]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id B0BB62CF8; Fri, 18 Jul 2014 20:42:17 +0000 (UTC) X-AuditID: 1209190d-f79c06d000002f07-7b-53c986a1b036 Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-2.mit.edu (Symantec Messaging Gateway) with SMTP id BB.7C.12039.1A689C35; Fri, 18 Jul 2014 16:42:09 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s6IKg8iC028646; Fri, 18 Jul 2014 16:42:09 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s6IKg6Qo007572 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Fri, 18 Jul 2014 16:42:08 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s6IKg66F010708; Fri, 18 Jul 2014 16:42:06 -0400 (EDT) Date: Fri, 18 Jul 2014 16:42:06 -0400 (EDT) From: Benjamin Kaduk To: Andrey Chernov Subject: Re: Speed and security of /dev/urandom In-Reply-To: <53C9857D.6000806@freebsd.org> Message-ID: References: <53C85F42.1000704@pyro.eu.org> <53C9857D.6000806@freebsd.org> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrAIsWRmVeSWpSXmKPExsUixCmqrbuw7WSwQftUK4tjJ3qYLHo2PWGz WHBpCrsDs8eMT/NZPI6+/8UUwBTFZZOSmpNZllqkb5fAlXFx+12mgkOsFW/3z2BtYNzJ0sXI ySEhYCJx+vsnZghbTOLCvfVsXYxcHEICs5kkFjWeY4ZwNjJKvHszCypziEni788fTCAtQgIN jBKr7hqA2CwC2hJnTneyg9hsAioSM99sZAOxRQRUJa5+nQG2glnAU+LgvF9AcQ4OYQF9ic2H pEHCnECtLzZPACvhFXCUuLlsDSNIiRBQ+cm7FSBhUQEdidX7p7BAlAhKnJz5hAVioqXEv7W/ WCcwCs5CkpqFJLWAkWkVo2xKbpVubmJmTnFqsm5xcmJeXmqRrpFebmaJXmpK6SZGcMBK8u5g fHdQ6RCjAAejEg/vDq2TwUKsiWXFlbmHGCU5mJREeac1AoX4kvJTKjMSizPii0pzUosPMUpw MCuJ8DqVA+V4UxIrq1KL8mFS0hwsSuK8b62tgoUE0hNLUrNTUwtSi2CyMhwcShK8G1uBGgWL UtNTK9Iyc0oQ0kwcnCDDeYCGx4HU8BYXJOYWZ6ZD5E8xKkqJ8yaBJARAEhmleXC9sITyilEc 6BVh3g0gVTzAZATX/QpoMBPQYOny4yCDSxIRUlINjFU88zpmmt+wMtz5dQvft3SuW35r/Vr6 VC/xrqpKKWVXkuG9Vjehwpff64588qVFJXe/78ud8uucg9TM1dO2eV57G26xae6zp76tyqc9 zOx/Gm+bfe/jQX+heyZ9s3+pGD0UdnzwtkLxnPGcZQ6vU/zl52vkZd1gDmD+7cIgL9u9sS14 LruNoBJLcUaioRZzUXEiACY5iLYDAwAA Cc: freebsd-security@freebsd.org, Steven Chamberlain X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2014 20:42:18 -0000 On Fri, 18 Jul 2014, Andrey Chernov wrote: > On 18.07.2014 3:41, Steven Chamberlain wrote: >> Is there a good reason arc4random_buf() can't take bytes directly from >> /dev/urandom or sysctl KERN_ARND? Therefore no longer needing to seed >> first, periodically reseed, or use any stream cipher? > > One of the reason I hear is that true random entropy bits can be quickly > exhausted if every userland program will drain them so much. Once the DRBG is seeded with a sufficient amount of truly random bits ("entropy"), its output remains unpredictable essentially indefinitely. There is no "loss" or "draining" of entropy from the system over time unless the algorithm is lousy. -Ben