From owner-freebsd-security@FreeBSD.ORG Fri Jul 18 22:10:59 2014 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5E6836F5 for ; Fri, 18 Jul 2014 22:10:59 +0000 (UTC) Received: from mail-we0-x232.google.com (mail-we0-x232.google.com [IPv6:2a00:1450:400c:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E8BB02515 for ; Fri, 18 Jul 2014 22:10:58 +0000 (UTC) Received: by mail-we0-f178.google.com with SMTP id w61so5136631wes.23 for ; Fri, 18 Jul 2014 15:10:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=20120113; h=date:from:to:subject:message-id:in-reply-to:references:mime-version :content-type:content-transfer-encoding; bh=OtyLPkWaI2kdjJIsWpJlmz0kxNeX1I+nBRf1XStcTLY=; b=c3EsZvbAQljKkPL4LW3SUYxzMPrH7AcgH1AzSVIVPpl9AVUt6gP7Nqs+BgPVvVLnIP LcMG1UXm/j+A3y0FAapq6Pc7VxN1XhQDY9IHLe60UORQH6N2y+or6E0BqBZUOjsIbtmE lsKx1XWDutRFxVh9bG0yKvES8MO/8aGxNfDIphrRY8vLb6vpL/OXRTF5GGtzdkPT9rJW lV6MEYo2z3BVnz9i1NpLVjRVUQ4vRTCEZf35mvSNLmfoevGQjYYIRsfnI250wECFM34x pfxn3ydpPtitmzWgwxxQRnYZiC/SNqqTCAJP4XDlegYoAA63hIvzBJN/Ez/CWDgMT6ZA KTsQ== X-Received: by 10.180.92.38 with SMTP id cj6mr12050241wib.64.1405721457109; Fri, 18 Jul 2014 15:10:57 -0700 (PDT) Received: from gumby.homeunix.com (4e5670bd.skybroadband.com. [78.86.112.189]) by mx.google.com with ESMTPSA id fw4sm11141749wib.19.2014.07.18.15.10.55 for (version=SSLv3 cipher=RC4-SHA bits=128/128); Fri, 18 Jul 2014 15:10:56 -0700 (PDT) Date: Fri, 18 Jul 2014 23:10:53 +0100 From: RW To: freebsd-security@freebsd.org Subject: Re: Speed and security of /dev/urandom Message-ID: <20140718231053.3251d0b7@gumby.homeunix.com> In-Reply-To: <53C97E47.4030100@pyro.eu.org> References: <53C85F42.1000704@pyro.eu.org> <4E23BEEA-693A-4FA3-BE94-9BB82B49503A@vpnc.org> <53C97E47.4030100@pyro.eu.org> X-Mailer: Claws Mail 3.10.1 (GTK+ 2.24.22; amd64-portbld-freebsd10.0) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 18 Jul 2014 22:10:59 -0000 On Fri, 18 Jul 2014 21:06:31 +0100 Steven Chamberlain wrote: > *If* getpid involves a syscall on every arc4random_buf call, that is > going to already going to limit its performance? Would it really be > any slower to just return random bytes from the kernel, with the > KERN_ARND sysctl? I think KERN_ARND uses the kernel version of arc4random rather than Yarrow - unless something changed. > The overhead of currently having to initially and > periodically seed RC4, discard the early keystream, and apply that > cipher thereafter, would be gone. The risk of the problem described > above, or of weaknesses in RC4, or implementation issues with > arc4random's PRNG seeding are also gone. The RANDOM kernel module may not be present, particularly in a stripped-down embedded kernel. In that case yarrow isn't present in the kernel, and kernel arc4random isn't securely seeded. An application may then securely seed userland arc4random via arc4random_addrandom(). Supporting that requires at least the possibility to fall back to a userland PRNG.