FreeBSD's urandom versus random

Perry E. Metzger perry at piermont.com
Wed Jan 5 15:08:31 PST 2005


Ian G <iang at systemics.com> writes:
> While we're on the subject of /dev/[u]random, has anyone
> looked at the new FreeBSD 5.3 version?

Not the 5.3 version but I have looked a bit at earlier versions. I was
pretty scared, frankly.

The author gave a talk at a BSDCon where he displayed both a profound
set of misunderstandings about what the papers he had read meant and
an extremely strong amount of arrogance. Among other things, he
claimed that Schneier and Co. had proven the security of Yarrow (which
of course they never had claimed), and that his changes to Yarrow made
it better (very dubious). He also obviously didn't understand crypto
very well. I wouldn't have minded so much if he hadn't been extremely
belligerent about defending his beliefs.

Anyway, after the talk I took a look at the code, and I didn't feel
very comfortable with it. It has been too many years now for me to
remember specifics, and it may have been changed a lot in the interim
-- in any case, you may want to examine it if you are contemplating
using it in something where it would be dangerous not to have very
solid random numbers available.

FreeBSD has some other crypto toys that I'm dubious about. It now has
a crypto file system widget that uses a bunch of odd ad hoc modes
invented by the author. Some quick analysis shows that most of the
complexity they add does not add actual cryptographic strength and
does add possible attack vectors, which is worrisome.  I'm always
against attempting to be clever under such circumstances, but a lot of
people don't seem to have the same fear of innovating in cryptography
without very careful analysis that I do.  It also doesn't protect very
well against brute forcing of the file system passphrase, which is (in
most cases) the likely way people will break such a thing. (Actually
the author claims that you would have to do tremendous disk i/o to
break the passphrase, but you can do a time/space tradeoff with RAM
that bypasses his hack.)

None of this should say that I'm entirely comfortable with the
security of, say, NetBSD's /dev/random. Even though I should have,
I've never properly audited the whole thing, which is more than mildly
embarrassing. Shades of the shoemaker's children and such. For all I
know, we've got big flaws, too.


Perry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

--- end forwarded text


-- 
-----------------
R. A. Hettinga <mailto: rah at ibuc.com>
The Internet Bearer Underwriting Corporation <http://www.ibuc.com/>
44 Farquhar Street, Boston, MA 02131 USA
"... however it may deserve respect for its usefulness and antiquity,
[predicting the end of the world] has not been found agreeable to
experience." -- Edward Gibbon, 'Decline and Fall of the Roman Empire'





More information about the cypherpunks-legacy mailing list