Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 14 Mar 2017 13:03:47 +1100
From:      Dewayne Geraghty <dewaynegeraghty@gmail.com>
To:        Steven Chamberlain <steven@pyro.eu.org>
Cc:        freebsd-security@freebsd.org, freebsd-hackers@freebsd.org
Subject:   Re: arc4random weakness (was: WikiLeaks CIA Exploits: FreeBSD References Within)
Message-ID:  <CAGnMC6r41ugwjN2j5nHjfO5CTFr6wOwujmM%2B0-ZNy_Ch9hiV2Q@mail.gmail.com>
In-Reply-To: <20170313220639.GB65190@pyro.eu.org>
References:  <CAD2Ti28acbW%2BpGQR5UihECWvg9WduGmVzkVFug_2ZWRF2zyTBw@mail.gmail.com> <20170313220639.GB65190@pyro.eu.org>

next in thread | previous in thread | raw e-mail | index | archive | help
On 14 March 2017 at 09:06, Steven Chamberlain <steven@pyro.eu.org> wrote:

> From this document (TOP SECRET//SI//NOFORN):
> https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%
> 20Requirements%20v1.1%20TOP%20SECRET.pdf
>
> version 1.0 said:
>
> | 8. (S//NF) [...] If RC4 is used, at least the first 1024
> | bytes of the cryptostream must be discarded and may not be used
>
> and that is exactly what FreeBSD's libc and in-kernel arc4random
> implementations do.
>
> version 1.1 received input from another agency:
>
> | (C//SI//REL FVEY) Coordinated with NSA/CES.
>
> and a new requirement was introduced:
>
> | (TS//SI) 5.9: Added additional information about proper use of RC4.
>
> | 9. (TS//SI) Further than stated above, if RC4 is used the first 3072
> | bytes of the cryptostream must be discarded and may not be used.
>
> I think you should take that to mean, the NSA has, or suspects someone
> else to have, a practical attack on RC4 when being used as FreeBSD does
> currently.  The document seems 4-5 years old already as it prohibits use
> of RC4 at all from 2014 onward.
>
> Please consider switching to ChaCha20 in the long term (kern/182610),
> but right now, at least increase the amount of early keystream that is
> discarded.
>
> Many thanks,
> Regards,
> --
> Steven Chamberlain
> steven@pyro.eu.org
>

Thanks Steven.  I wasn't aware that OpenBSD was 3.5+ years ahead of the
curve in terms of securing against RC4 weaknesses, compared to FreeBSD.
Perhaps they have access to a mole ;)

The pointer to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182610
probably needs a push along. (or a local patch, which mostly applied to
/usr/src/lib/libc/gen/arc4random.c ; 2 of 13 hunks need a manual adjustment)



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAGnMC6r41ugwjN2j5nHjfO5CTFr6wOwujmM%2B0-ZNy_Ch9hiV2Q>