FreeBSD's urandom versus random

[Daniel Carosone]

On Wed, Jan 05, 2005 at 06:08:31PM -0500, Perry E. Metzger wrote:
> Ian G <iang at systemics.com> writes:
> > While we're on the subject of /dev/[u]random, has anyone
> > looked at the new FreeBSD 5.3 version?
> 
> Not the 5.3 version but I have looked a bit at earlier versions. I was
> pretty scared, frankly.

> FreeBSD has some other crypto toys that I'm dubious about. It now has
> a crypto file system widget that uses a bunch of odd ad hoc modes
> invented by the author. Some quick analysis shows that most of the
> complexity they add does not add actual cryptographic strength and
> does add possible attack vectors, which is worrisome.

I keep poking you-know-who to write up his gbde criticisms properly :)

> None of this should say that I'm entirely comfortable with the
> security of, say, NetBSD's /dev/random. Even though I should have,
> I've never properly audited the whole thing, which is more than mildly
> embarrassing. Shades of the shoemaker's children and such. For all I
> know, we've got big flaws, too.

I'd be very happy for any review from this group, as I've said
previously.

I have idly considered replacing the urandom device with something
like yarrow, re-seeded as appropriate from the random device.  This
would likely improve its speed, and (more importantly) reduce or
eliminate the times that urandom readers cause random readers to
block because the entropy estimator (however bogus) is low.

Recommending that urandom (in whatever form) is strong without
blocking and should be used ~always is one thing. Inverting the sense
of random, for those few cases where someone decides they're prepared
to block no matter what, as it seems FreeBSD has done, is another
thing entirely.

--
Dan.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 186 bytes
Desc: not available
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20050106/90c43bab/attachment.pgp>