| version 1.20.10.2, 2019/12/05 16:29:23 |
version 1.21, 2015/01/07 18:50:18 |
|
|
| .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE |
| .\" POSSIBILITY OF SUCH DAMAGE. |
.\" POSSIBILITY OF SUCH DAMAGE. |
| .\" |
.\" |
| .Dd September 3, 2019 |
.Dd November 16, 2014 |
| .Dt RND 4 |
.Dt RND 4 |
| .Os |
.Os |
| .Sh NAME |
.Sh NAME |
| Line 187 quantum computers. |
|
| Line 187 quantum computers. |
|
| Systems with nonvolatile storage should store a secret from |
Systems with nonvolatile storage should store a secret from |
| .Pa /dev/urandom |
.Pa /dev/urandom |
| on disk during installation or shutdown, and feed it back during boot, |
on disk during installation or shutdown, and feed it back during boot, |
| so that the work the operating system has done to gather entropy \(em |
so that the work the operating system has done to gather entropy -- |
| including the work its operator may have done to flip a coin! \(em can be |
including the work its operator may have done to flip a coin! -- can be |
| saved from one boot to the next, and so that newly installed systems |
saved from one boot to the next, and so that newly installed systems |
| are not vulnerable to generating cryptographic keys predictably. |
are not vulnerable to generating cryptographic keys predictably. |
| .Pp |
.Pp |
|
|
| see |
see |
| .Xr rc.conf 5 . |
.Xr rc.conf 5 . |
| .Sh LIMITATIONS |
.Sh LIMITATIONS |
| Some people worry about recovery from state compromise \(em that is, |
Some people worry about recovery from state compromise -- that is, |
| ensuring that even if an attacker sees the entire state of the |
ensuring that even if an attacker sees the entire state of the |
| operating system, then the attacker will be unable to predict any new |
operating system, then the attacker will be unable to predict any new |
| future outputs as long as the operating system gathers fresh entropy |
future outputs as long as the operating system gathers fresh entropy |
| Line 404 When a user process opens |
|
| Line 404 When a user process opens |
|
| or |
or |
| .Pa /dev/urandom |
.Pa /dev/urandom |
| and first reads from it, the kernel draws from the entropy pool to seed |
and first reads from it, the kernel draws from the entropy pool to seed |
| a cryptographic pseudorandom number generator, the NIST Hash_DRBG |
a cryptographic pseudorandom number generator, the NIST CTR_DRBG |
| (hash-based deterministic random bit generator) with SHA-256 as the |
(counter-mode deterministic random bit generator) with AES-128 as the |
| hash function, and uses that to generate data. |
block cipher, and uses that to generate data. |
| .Pp |
.Pp |
| To draw a seed from the entropy pool, the kernel |
To draw a seed from the entropy pool, the kernel |
| .Bl -bullet -offset abcd -compact |
.Bl -bullet -offset abcd -compact |
|
|
| .%A Elaine Barker |
.%A Elaine Barker |
| .%A John Kelsey |
.%A John Kelsey |
| .%T Recommendation for Random Number Generation Using Deterministic Random Bit Generators |
.%T Recommendation for Random Number Generation Using Deterministic Random Bit Generators |
| .%D June 2015 |
.%D January 2012 |
| .%I National Institute of Standards and Technology |
.%I National Institute of Standards and Technology |
| .%O NIST Special Publication 800-90A, Revision 1 |
.%O NIST Special Publication 800-90A |
| .%U https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final |
.%U http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf |
| .Re |
.Re |
| .Rs |
.Rs |
| .%A Daniel J. Bernstein |
.%A Daniel J. Bernstein |
| Line 551 Unfortunately, no amount of software eng |
|
| Line 551 Unfortunately, no amount of software eng |
|
| .Sh ENTROPY ACCOUNTING |
.Sh ENTROPY ACCOUNTING |
| The entropy accounting described here is not grounded in any |
The entropy accounting described here is not grounded in any |
| cryptography theory. |
cryptography theory. |
| .Sq Entropy estimation |
It is done because it was always done, and because it gives people a |
| doesn't mean much: the kernel hypothesizes an extremely simple-minded |
warm fuzzy feeling about information theory. |
| parametric model for all entropy sources which bears little relation to |
|
| any physical processes, implicitly fits parameters from data, and |
|
| accounts for the entropy of the fitted model. |
|
| .Pp |
.Pp |
| Past versions of the |
The folklore is that every |
| .Nm |
.Fa n Ns -bit |
| subsystem were concerned with |
output of |
| .Sq information-theoretic |
.Fa /dev/random |
| security, under the premise that the number of bits of entropy out must |
is not merely indistinguishable from uniform random to a |
| not exceed the number of bits of entropy in \(em never mind that its |
computationally bounded attacker, but information-theoretically is |
| .Sq entropy estimation |
independent and has |
| is essentially meaningless without a model for the physical processes |
.Fa n |
| the system is observing. |
bits of entropy even to a computationally |
| .Pp |
.Em unbounded |
| But every cryptographic protocol in practice, including HTTPS, SSH, |
attacker -- that is, an attacker who can recover AES keys, compute |
| PGP, etc., expands short secrets deterministically into long streams of |
SHA-1 preimages, etc. |
| bits, and their security relies on conjectures that a computationally |
This property is not provided, nor was it ever provided in any |
| bounded attacker cannot distinguish the long streams from uniform |
implementation of |
| random. |
.Fa /dev/random |
| |
known to the author. |
| |
.Pp |
| |
This property would require that, after each read, the system discard |
| |
all measurements from hardware in the entropy pool and begin anew. |
| |
All work done to make the system unpredictable would be thrown out, and |
| |
the system would immediately become predictable again. |
| |
Reverting the system to being predictable every time a process reads |
| |
from |
| |
.Fa /dev/random |
| |
would give attackers a tremendous advantage in predicting future |
| |
outputs, especially if they can fool the entropy estimator, e.g. by |
| |
sending carefully timed network packets. |
| |
.Pp |
| |
If you filled your entropy pool by flipping a coin 256 times, you would |
| |
have to flip it again 256 times for the next output, and so on. |
| |
In that case, if you really want information-theoretic guarantees, you |
| |
might as well take |
| |
.Fa /dev/random |
| |
out of the picture and use your coin flips verbatim. |
| |
.Pp |
| |
On the other hand, every cryptographic protocol in practice, including |
| |
HTTPS, SSH, PGP, etc., expands short secrets deterministically into |
| |
long streams of bits, and their security relies on conjectures that a |
| |
computationally bounded attacker cannot distinguish the long streams |
| |
from uniform random. |
| If we couldn't do that for |
If we couldn't do that for |
| .Fa /dev/random , |
.Fa /dev/random , |
| it would be hopeless to assume we could for HTTPS, SSH, PGP, etc. |
it would be hopeless to assume we could for HTTPS, SSH, PGP, etc. |
| .Pp |
.Pp |
| History is littered with examples of broken entropy sources and failed |
History is littered with examples of broken entropy sources and failed |
| system engineering for random number generators. |
system engineering for random number generators. |
| Nobody has ever reported distinguishing SHA-256 hashes with secret |
Nobody has ever reported distinguishing AES ciphertext from uniform |
| inputs from uniform random, nor reported computing SHA-1 preimages |
random without side channels, nor reported computing SHA-1 preimages |
| faster than brute force. |
faster than brute force. |
| |
The folklore information-theoretic defence against computationally |
| |
unbounded attackers replaces system engineering that successfully |
| |
defends against realistic threat models by imaginary theory that |
| |
defends only against fantasy threat models. |
![[BACK]](/icons/back.gif){kind=icon}
Return to rnd.4 CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [cvs.NetBSD.org] / src / share / man / man4