| @@ -1,14 +1,14 @@ | | | @@ -1,14 +1,14 @@ |
1 | .\" $NetBSD: rnd.4,v 1.20.10.1 2015/03/18 07:54:26 snj Exp $ | | 1 | .\" $NetBSD: rnd.4,v 1.20.10.1.2.1 2019/12/05 16:23:22 bouyer Exp $ |
2 | .\" | | 2 | .\" |
3 | .\" Copyright (c) 2014 The NetBSD Foundation, Inc. | | 3 | .\" Copyright (c) 2014 The NetBSD Foundation, Inc. |
4 | .\" All rights reserved. | | 4 | .\" All rights reserved. |
5 | .\" | | 5 | .\" |
6 | .\" This code is derived from software contributed to The NetBSD Foundation | | 6 | .\" This code is derived from software contributed to The NetBSD Foundation |
7 | .\" by Taylor R. Campbell. | | 7 | .\" by Taylor R. Campbell. |
8 | .\" | | 8 | .\" |
9 | .\" Redistribution and use in source and binary forms, with or without | | 9 | .\" Redistribution and use in source and binary forms, with or without |
10 | .\" modification, are permitted provided that the following conditions | | 10 | .\" modification, are permitted provided that the following conditions |
11 | .\" are met: | | 11 | .\" are met: |
12 | .\" 1. Redistributions of source code must retain the above copyright | | 12 | .\" 1. Redistributions of source code must retain the above copyright |
13 | .\" notice, this list of conditions and the following disclaimer. | | 13 | .\" notice, this list of conditions and the following disclaimer. |
14 | .\" 2. Redistributions in binary form must reproduce the above copyright | | 14 | .\" 2. Redistributions in binary form must reproduce the above copyright |
| @@ -17,27 +17,27 @@ | | | @@ -17,27 +17,27 @@ |
17 | .\" | | 17 | .\" |
18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS | | 18 | .\" THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS |
19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED | | 19 | .\" ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED |
20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR | | 20 | .\" TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS | | 21 | .\" PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS |
22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR | | 22 | .\" BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR |
23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF | | 23 | .\" CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF |
24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS | | 24 | .\" SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS |
25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN | | 25 | .\" INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN |
26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) | | 26 | .\" CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE | | 27 | .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
28 | .\" POSSIBILITY OF SUCH DAMAGE. | | 28 | .\" POSSIBILITY OF SUCH DAMAGE. |
29 | .\" | | 29 | .\" |
30 | .Dd November 16, 2014 | | 30 | .Dd September 3, 2019 |
31 | .Dt RND 4 | | 31 | .Dt RND 4 |
32 | .Os | | 32 | .Os |
33 | .Sh NAME | | 33 | .Sh NAME |
34 | .Nm rnd | | 34 | .Nm rnd |
35 | .Nd random number generator | | 35 | .Nd random number generator |
36 | .Sh DESCRIPTION | | 36 | .Sh DESCRIPTION |
37 | The | | 37 | The |
38 | .Pa /dev/random | | 38 | .Pa /dev/random |
39 | and | | 39 | and |
40 | .Pa /dev/urandom | | 40 | .Pa /dev/urandom |
41 | devices generate bytes randomly with uniform distribution. | | 41 | devices generate bytes randomly with uniform distribution. |
42 | Every read from them is independent. | | 42 | Every read from them is independent. |
43 | .Bl -tag -width /dev/urandom | | 43 | .Bl -tag -width /dev/urandom |
| @@ -177,45 +177,45 @@ and the observations are combined into a | | | @@ -177,45 +177,45 @@ and the observations are combined into a |
177 | The | | 177 | The |
178 | .Xr rndctl 8 | | 178 | .Xr rndctl 8 |
179 | command queries information about entropy sources and the entropy pool, | | 179 | command queries information about entropy sources and the entropy pool, |
180 | and can control which entropy sources the operating system uses or | | 180 | and can control which entropy sources the operating system uses or |
181 | ignores. | | 181 | ignores. |
182 | .Pp | | 182 | .Pp |
183 | 256 bits of entropy is typically considered intractible to guess with | | 183 | 256 bits of entropy is typically considered intractible to guess with |
184 | classical computers and with current models of the capabilities of | | 184 | classical computers and with current models of the capabilities of |
185 | quantum computers. | | 185 | quantum computers. |
186 | .Pp | | 186 | .Pp |
187 | Systems with nonvolatile storage should store a secret from | | 187 | Systems with nonvolatile storage should store a secret from |
188 | .Pa /dev/urandom | | 188 | .Pa /dev/urandom |
189 | on disk during installation or shutdown, and feed it back during boot, | | 189 | on disk during installation or shutdown, and feed it back during boot, |
190 | so that the work the operating system has done to gather entropy -- | | 190 | so that the work the operating system has done to gather entropy \(em |
191 | including the work its operator may have done to flip a coin! -- can be | | 191 | including the work its operator may have done to flip a coin! \(em can be |
192 | saved from one boot to the next, and so that newly installed systems | | 192 | saved from one boot to the next, and so that newly installed systems |
193 | are not vulnerable to generating cryptographic keys predictably. | | 193 | are not vulnerable to generating cryptographic keys predictably. |
194 | .Pp | | 194 | .Pp |
195 | The boot loaders in some | | 195 | The boot loaders in some |
196 | .Nx | | 196 | .Nx |
197 | ports support a command to load a seed from disk before the | | 197 | ports support a command to load a seed from disk before the |
198 | kernel has started. | | 198 | kernel has started. |
199 | For those that don't, the | | 199 | For those that don't, the |
200 | .Xr rndctl 8 | | 200 | .Xr rndctl 8 |
201 | command can do it once userland has started, for example by setting | | 201 | command can do it once userland has started, for example by setting |
202 | .Dq Va rndctl=YES | | 202 | .Dq Va rndctl=YES |
203 | in | | 203 | in |
204 | .Pa /etc/rc.conf ; | | 204 | .Pa /etc/rc.conf ; |
205 | see | | 205 | see |
206 | .Xr rc.conf 5 . | | 206 | .Xr rc.conf 5 . |
207 | .Sh LIMITATIONS | | 207 | .Sh LIMITATIONS |
208 | Some people worry about recovery from state compromise -- that is, | | 208 | Some people worry about recovery from state compromise \(em that is, |
209 | ensuring that even if an attacker sees the entire state of the | | 209 | ensuring that even if an attacker sees the entire state of the |
210 | operating system, then the attacker will be unable to predict any new | | 210 | operating system, then the attacker will be unable to predict any new |
211 | future outputs as long as the operating system gathers fresh entropy | | 211 | future outputs as long as the operating system gathers fresh entropy |
212 | quickly enough. | | 212 | quickly enough. |
213 | .Pp | | 213 | .Pp |
214 | But if an attacker has seen the entire state of your machine, | | 214 | But if an attacker has seen the entire state of your machine, |
215 | refreshing entropy is probably the least of your worries, so we do not | | 215 | refreshing entropy is probably the least of your worries, so we do not |
216 | address that threat model here. | | 216 | address that threat model here. |
217 | .Pp | | 217 | .Pp |
218 | The | | 218 | The |
219 | .Nm | | 219 | .Nm |
220 | subsystem does | | 220 | subsystem does |
221 | .Em not | | 221 | .Em not |
| @@ -394,29 +394,29 @@ and | | | @@ -394,29 +394,29 @@ and |
394 | .Pa /dev/urandom | | 394 | .Pa /dev/urandom |
395 | devices.) | | 395 | devices.) |
396 | .Pp | | 396 | .Pp |
397 | Samples from entropy sources are fed 32 bits at a time into the entropy | | 397 | Samples from entropy sources are fed 32 bits at a time into the entropy |
398 | pool, which is an array of 4096 bits, or 128 32-bit words, representing | | 398 | pool, which is an array of 4096 bits, or 128 32-bit words, representing |
399 | 32 linear feedback shift registers each 128 bits long. | | 399 | 32 linear feedback shift registers each 128 bits long. |
400 | .\" XXX Finish this description so it is implementable. | | 400 | .\" XXX Finish this description so it is implementable. |
401 | .Pp | | 401 | .Pp |
402 | When a user process opens | | 402 | When a user process opens |
403 | .Pa /dev/random | | 403 | .Pa /dev/random |
404 | or | | 404 | or |
405 | .Pa /dev/urandom | | 405 | .Pa /dev/urandom |
406 | and first reads from it, the kernel draws from the entropy pool to seed | | 406 | and first reads from it, the kernel draws from the entropy pool to seed |
407 | a cryptographic pseudorandom number generator, the NIST CTR_DRBG | | 407 | a cryptographic pseudorandom number generator, the NIST Hash_DRBG |
408 | (counter-mode deterministic random bit generator) with AES-128 as the | | 408 | (hash-based deterministic random bit generator) with SHA-256 as the |
409 | block cipher, and uses that to generate data. | | 409 | hash function, and uses that to generate data. |
410 | .Pp | | 410 | .Pp |
411 | To draw a seed from the entropy pool, the kernel | | 411 | To draw a seed from the entropy pool, the kernel |
412 | .Bl -bullet -offset abcd -compact | | 412 | .Bl -bullet -offset abcd -compact |
413 | .It | | 413 | .It |
414 | computes the SHA-1 hash of the entropy pool, | | 414 | computes the SHA-1 hash of the entropy pool, |
415 | .It | | 415 | .It |
416 | feeds the SHA-1 hash word-by-word back into the entropy pool like an | | 416 | feeds the SHA-1 hash word-by-word back into the entropy pool like an |
417 | entropy source, and | | 417 | entropy source, and |
418 | .It | | 418 | .It |
419 | yields the xor of bytes | | 419 | yields the xor of bytes |
420 | .Pf 0.. Fa n | | 420 | .Pf 0.. Fa n |
421 | with bytes | | 421 | with bytes |
422 | .Fa n Ns +0.. Ns Fa n Ns Pf + Fa n | | 422 | .Fa n Ns +0.. Ns Fa n Ns Pf + Fa n |
| @@ -479,30 +479,30 @@ Uniform random byte source. | | | @@ -479,30 +479,30 @@ Uniform random byte source. |
479 | May block. | | 479 | May block. |
480 | .It Pa /dev/urandom | | 480 | .It Pa /dev/urandom |
481 | Uniform random byte source. | | 481 | Uniform random byte source. |
482 | Never blocks. | | 482 | Never blocks. |
483 | .El | | 483 | .El |
484 | .Sh SEE ALSO | | 484 | .Sh SEE ALSO |
485 | .Xr arc4random 3 , | | 485 | .Xr arc4random 3 , |
486 | .Xr rndctl 8 , | | 486 | .Xr rndctl 8 , |
487 | .Xr cprng 9 | | 487 | .Xr cprng 9 |
488 | .Rs | | 488 | .Rs |
489 | .%A Elaine Barker | | 489 | .%A Elaine Barker |
490 | .%A John Kelsey | | 490 | .%A John Kelsey |
491 | .%T Recommendation for Random Number Generation Using Deterministic Random Bit Generators | | 491 | .%T Recommendation for Random Number Generation Using Deterministic Random Bit Generators |
492 | .%D January 2012 | | 492 | .%D June 2015 |
493 | .%I National Institute of Standards and Technology | | 493 | .%I National Institute of Standards and Technology |
494 | .%O NIST Special Publication 800-90A | | 494 | .%O NIST Special Publication 800-90A, Revision 1 |
495 | .%U http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf | | 495 | .%U https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final |
496 | .Re | | 496 | .Re |
497 | .Rs | | 497 | .Rs |
498 | .%A Daniel J. Bernstein | | 498 | .%A Daniel J. Bernstein |
499 | .%T Entropy Attacks! | | 499 | .%T Entropy Attacks! |
500 | .%D 2014-02-05 | | 500 | .%D 2014-02-05 |
501 | .%U http://blog.cr.yp.to/20140205-entropy.html | | 501 | .%U http://blog.cr.yp.to/20140205-entropy.html |
502 | .Re | | 502 | .Re |
503 | .Rs | | 503 | .Rs |
504 | .%A Nadia Heninger | | 504 | .%A Nadia Heninger |
505 | .%A Zakir Durumeric | | 505 | .%A Zakir Durumeric |
506 | .%A Eric Wustrow | | 506 | .%A Eric Wustrow |
507 | .%A J. Alex Halderman | | 507 | .%A J. Alex Halderman |
508 | .%T Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices | | 508 | .%T Mining Your Ps and Qs: Detection of Widespread Weak Keys in Network Devices |
| @@ -541,69 +541,43 @@ even if entropy estimates were accurate | | | @@ -541,69 +541,43 @@ even if entropy estimates were accurate |
541 | long for | | 541 | long for |
542 | .Pa /dev/random | | 542 | .Pa /dev/random |
543 | to stop blocking. | | 543 | to stop blocking. |
544 | .Pp | | 544 | .Pp |
545 | Many people are confused about what | | 545 | Many people are confused about what |
546 | .Pa /dev/random | | 546 | .Pa /dev/random |
547 | and | | 547 | and |
548 | .Pa /dev/urandom | | 548 | .Pa /dev/urandom |
549 | mean. | | 549 | mean. |
550 | Unfortunately, no amount of software engineering can fix that. | | 550 | Unfortunately, no amount of software engineering can fix that. |
551 | .Sh ENTROPY ACCOUNTING | | 551 | .Sh ENTROPY ACCOUNTING |
552 | The entropy accounting described here is not grounded in any | | 552 | The entropy accounting described here is not grounded in any |
553 | cryptography theory. | | 553 | cryptography theory. |
554 | It is done because it was always done, and because it gives people a | | 554 | .Sq Entropy estimation |
555 | warm fuzzy feeling about information theory. | | 555 | doesn't mean much: the kernel hypothesizes an extremely simple-minded |
| | | 556 | parametric model for all entropy sources which bears little relation to |
| | | 557 | any physical processes, implicitly fits parameters from data, and |
| | | 558 | accounts for the entropy of the fitted model. |
556 | .Pp | | 559 | .Pp |
557 | The folklore is that every | | 560 | Past versions of the |
558 | .Fa n Ns -bit | | 561 | .Nm |
559 | output of | | 562 | subsystem were concerned with |
560 | .Fa /dev/random | | 563 | .Sq information-theoretic |
561 | is not merely indistinguishable from uniform random to a | | 564 | security, under the premise that the number of bits of entropy out must |
562 | computationally bounded attacker, but information-theoretically is | | 565 | not exceed the number of bits of entropy in \(em never mind that its |
563 | independent and has | | 566 | .Sq entropy estimation |
564 | .Fa n | | 567 | is essentially meaningless without a model for the physical processes |
565 | bits of entropy even to a computationally | | 568 | the system is observing. |
566 | .Em unbounded | | 569 | .Pp |
567 | attacker -- that is, an attacker who can recover AES keys, compute | | 570 | But every cryptographic protocol in practice, including HTTPS, SSH, |
568 | SHA-1 preimages, etc. | | 571 | PGP, etc., expands short secrets deterministically into long streams of |
569 | This property is not provided, nor was it ever provided in any | | 572 | bits, and their security relies on conjectures that a computationally |
570 | implementation of | | 573 | bounded attacker cannot distinguish the long streams from uniform |
571 | .Fa /dev/random | | 574 | random. |
572 | known to the author. | | | |
573 | .Pp | | | |
574 | This property would require that, after each read, the system discard | | | |
575 | all measurements from hardware in the entropy pool and begin anew. | | | |
576 | All work done to make the system unpredictable would be thrown out, and | | | |
577 | the system would immediately become predictable again. | | | |
578 | Reverting the system to being predictable every time a process reads | | | |
579 | from | | | |
580 | .Fa /dev/random | | | |
581 | would give attackers a tremendous advantage in predicting future | | | |
582 | outputs, especially if they can fool the entropy estimator, e.g. by | | | |
583 | sending carefully timed network packets. | | | |
584 | .Pp | | | |
585 | If you filled your entropy pool by flipping a coin 256 times, you would | | | |
586 | have to flip it again 256 times for the next output, and so on. | | | |
587 | In that case, if you really want information-theoretic guarantees, you | | | |
588 | might as well take | | | |
589 | .Fa /dev/random | | | |
590 | out of the picture and use your coin flips verbatim. | | | |
591 | .Pp | | | |
592 | On the other hand, every cryptographic protocol in practice, including | | | |
593 | HTTPS, SSH, PGP, etc., expands short secrets deterministically into | | | |
594 | long streams of bits, and their security relies on conjectures that a | | | |
595 | computationally bounded attacker cannot distinguish the long streams | | | |
596 | from uniform random. | | | |
597 | If we couldn't do that for | | 575 | If we couldn't do that for |
598 | .Fa /dev/random , | | 576 | .Fa /dev/random , |
599 | it would be hopeless to assume we could for HTTPS, SSH, PGP, etc. | | 577 | it would be hopeless to assume we could for HTTPS, SSH, PGP, etc. |
600 | .Pp | | 578 | .Pp |
601 | History is littered with examples of broken entropy sources and failed | | 579 | History is littered with examples of broken entropy sources and failed |
602 | system engineering for random number generators. | | 580 | system engineering for random number generators. |
603 | Nobody has ever reported distinguishing AES ciphertext from uniform | | 581 | Nobody has ever reported distinguishing SHA-256 hashes with secret |
604 | random without side channels, nor reported computing SHA-1 preimages | | 582 | inputs from uniform random, nor reported computing SHA-1 preimages |
605 | faster than brute force. | | 583 | faster than brute force. |
606 | The folklore information-theoretic defence against computationally | | | |
607 | unbounded attackers replaces system engineering that successfully | | | |
608 | defends against realistic threat models by imaginary theory that | | | |
609 | defends only against fantasy threat models. | | | |