From owner-freebsd-security@freebsd.org Tue Mar 14 02:04:19 2017 Return-Path: Delivered-To: freebsd-security@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 1EEEDD0B5AB; Tue, 14 Mar 2017 02:04:19 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: from mail-it0-x233.google.com (mail-it0-x233.google.com [IPv6:2607:f8b0:4001:c0b::233]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id E5E3219FF; Tue, 14 Mar 2017 02:04:18 +0000 (UTC) (envelope-from dewaynegeraghty@gmail.com) Received: by mail-it0-x233.google.com with SMTP id g138so43349195itb.0; Mon, 13 Mar 2017 19:04:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=4WXRdx3eTTak8PMogKEc5zsSfHSxMruRMQsKsDvTaoo=; b=m2hWhZYZiPdiSYMHM8eI24+wKEIUD8JWh0iu+jDv8LNEOx5lPB9FLvBR546cYnnuZ8 9OCN5VqnEQQhKgWonrrhZlFl3I9OLdNDVxjhODQqTkY3asNUwB1Ie2vWmLUIhIieIr8+ 82NmqadgqmK++LXwoG2HcJgr49RjF/CLSEnpwAuX5aeSnaiI7jfLrGvpw7Ck0kgHcbD8 eeTKj3WWj+uvYJ9rGsI3FIV4HHEotdknDlPkKU7br1Qf5xQ9cZ5RbMavVRwZCxiNihCx bDjMUYwgATgyPkaL6kf2rzRCzUQAOD8DkXTHjW6D1Pugft1XjwJRmnbzC0fDCXO8kRMT e35A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=4WXRdx3eTTak8PMogKEc5zsSfHSxMruRMQsKsDvTaoo=; b=AyLjmJirGCQCkRQBwWyscKzsctYJtx9T2AyLdKqHC9MjiLmyvuc3gziZ3HEyT9w1/N wxJdZZ1wUTzOUEt0jsDQGhlcVtAThkW156/k7uf1Lp3GQTY7QptI0sFx06V9GCuz0L/Q GTAKViH8GyfTLigl9x9digp8ZXTUgPBdKek/45jUi5LOXayL/hI1ixo6Zi4+LdlMRDpv Oz0Wg2VkpUKpR0yFXZhCzZtx5MbPG7WPeK7xkWyIP16CrfB2cH1idNiX1cAFULCNef8D Ry+fXwoDx7OFIy8z9BPdLlCkFdVdhbpVcsuJA9HrWODVrVI1hvpdPI3dxbZYKAaiczHJ 6O3w== X-Gm-Message-State: AFeK/H3gPFosPbK95mHuKbpSj4xWGgaLPjVzLu/8O/xAs9cXVDUKi9lHyWmipFUNpux6Hm10hPNa+rbruzYkrQ== X-Received: by 10.36.204.136 with SMTP id x130mr13997913itf.93.1489457057474; Mon, 13 Mar 2017 19:04:17 -0700 (PDT) MIME-Version: 1.0 Received: by 10.79.13.142 with HTTP; Mon, 13 Mar 2017 19:03:47 -0700 (PDT) In-Reply-To: <20170313220639.GB65190@pyro.eu.org> References: <20170313220639.GB65190@pyro.eu.org> From: Dewayne Geraghty Date: Tue, 14 Mar 2017 13:03:47 +1100 Message-ID: Subject: Re: arc4random weakness (was: WikiLeaks CIA Exploits: FreeBSD References Within) To: Steven Chamberlain Cc: freebsd-security@freebsd.org, freebsd-hackers@freebsd.org X-Mailman-Approved-At: Tue, 14 Mar 2017 02:42:48 +0000 Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.23 X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.23 Precedence: list List-Id: "Security issues \[members-only posting\]" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Mar 2017 02:04:19 -0000 On 14 March 2017 at 09:06, Steven Chamberlain wrote: > From this document (TOP SECRET//SI//NOFORN): > https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic% > 20Requirements%20v1.1%20TOP%20SECRET.pdf > > version 1.0 said: > > | 8. (S//NF) [...] If RC4 is used, at least the first 1024 > | bytes of the cryptostream must be discarded and may not be used > > and that is exactly what FreeBSD's libc and in-kernel arc4random > implementations do. > > version 1.1 received input from another agency: > > | (C//SI//REL FVEY) Coordinated with NSA/CES. > > and a new requirement was introduced: > > | (TS//SI) 5.9: Added additional information about proper use of RC4. > > | 9. (TS//SI) Further than stated above, if RC4 is used the first 3072 > | bytes of the cryptostream must be discarded and may not be used. > > I think you should take that to mean, the NSA has, or suspects someone > else to have, a practical attack on RC4 when being used as FreeBSD does > currently. The document seems 4-5 years old already as it prohibits use > of RC4 at all from 2014 onward. > > Please consider switching to ChaCha20 in the long term (kern/182610), > but right now, at least increase the amount of early keystream that is > discarded. > > Many thanks, > Regards, > -- > Steven Chamberlain > steven@pyro.eu.org > Thanks Steven. I wasn't aware that OpenBSD was 3.5+ years ahead of the curve in terms of securing against RC4 weaknesses, compared to FreeBSD. Perhaps they have access to a mole ;) The pointer to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182610 probably needs a push along. (or a local patch, which mostly applied to /usr/src/lib/libc/gen/arc4random.c ; 2 of 13 hunks need a manual adjustment)