[16644] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: FreeBSD's urandom versus random

daemon@ATHENA.MIT.EDU (Daniel Carosone)
Wed Jan 5 22:03:55 2005

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Thu, 6 Jan 2005 10:45:28 +1100
From: Daniel Carosone <dan@geek.com.au>
To: "Perry E. Metzger" <perry@piermont.com>
Cc: Ian G <iang@systemics.com>, cryptography@metzdowd.com
In-Reply-To: <87wturbhjk.fsf@snark.piermont.com>


--+vcRm3WFmV0Q/ShD
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Wed, Jan 05, 2005 at 06:08:31PM -0500, Perry E. Metzger wrote:
> Ian G <iang@systemics.com> writes:
> > While we're on the subject of /dev/[u]random, has anyone
> > looked at the new FreeBSD 5.3 version?
>=20
> Not the 5.3 version but I have looked a bit at earlier versions. I was
> pretty scared, frankly.

> FreeBSD has some other crypto toys that I'm dubious about. It now has
> a crypto file system widget that uses a bunch of odd ad hoc modes
> invented by the author. Some quick analysis shows that most of the
> complexity they add does not add actual cryptographic strength and
> does add possible attack vectors, which is worrisome.

I keep poking you-know-who to write up his gbde criticisms properly :)

> None of this should say that I'm entirely comfortable with the
> security of, say, NetBSD's /dev/random. Even though I should have,
> I've never properly audited the whole thing, which is more than mildly
> embarrassing. Shades of the shoemaker's children and such. For all I
> know, we've got big flaws, too.

I'd be very happy for any review from this group, as I've said
previously.

I have idly considered replacing the urandom device with something
like yarrow, re-seeded as appropriate from the random device.  This
would likely improve its speed, and (more importantly) reduce or
eliminate the times that urandom readers cause random readers to
block because the entropy estimator (however bogus) is low.

Recommending that urandom (in whatever form) is strong without
blocking and should be used ~always is one thing. Inverting the sense
of random, for those few cases where someone decides they're prepared
to block no matter what, as it seems FreeBSD has done, is another
thing entirely.

--
Dan.

--+vcRm3WFmV0Q/ShD
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.6 (NetBSD)

iD8DBQFB3HwYEAVxvV4N66cRAqN1AKCVV4afjg2KpPbunHarfQnYZYRyugCgw8IM
kmtB+waJ7jHQhwATHv7LSQ8=
=QxXr
-----END PGP SIGNATURE-----

--+vcRm3WFmV0Q/ShD--

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post