It is 2016. There is no business for any major tool to be shipping a dependency on a userspace random number generator like this.
http://sockpuppet.org/blog/2014/02/25/safely-generate-random...
It's not enough for us to stop fielding new software with broken userspace random (all userspace random is broken random). We need to go back through all the software, find all the userspace RNGs, and replace them with urandom reads
#include <windows.h>
#define SystemFunction036 NTAPI SystemFunction036
#include <ntsecapi.h>
#undef SystemFunction036
RtlGenRandom(buf, size);
RtlGenRandom uses a CSPRNG specified in NIST 800-90[4]. It uses AES256 in CTR mode AFAIK.
[1] https://msdn.microsoft.com/en-us/library/windows/desktop/aa3...
[2] https://boringssl.googlesource.com/boringssl/+/master/crypto...
[3] https://msdn.microsoft.com/en-us/library/sxtz2fa8.aspx
[4] https://msdn.microsoft.com/en-us/library/windows/desktop/aa3...
I warned him he'd get flagged for this and he said he got flagged for quoting De La Soul on a De La thread and I have no clever response to that.
[1] https://insanecoding.blogspot.com/2014/05/a-good-idea-with-b...
I don't see how this flaw is connected to the fact that libgcrypt runs in user space. A similar bug could well be discovered in the mixing function behind /dev/urandom.
1. Ensuring that it's adequately seeded before anyone can use it.
2. Providing forward secrecy by periodically rekeying ("refreshing the entropy pool", but we should do away with that terminology).
3. Carrying over state across reboots.
(There are four problems if you consider "being performant" a problem on the scale of fundamental design, but it's mostly not).
You wouldn't think CSPRNGs are this simple by reading either the literature on things like Fortuna and Yarrow or by reading the LKML and patch proposals for the LRNG. You'd think it was super tricky to collect "enough entropy" from enough "decorrelated sources", you'd think you'd have to deal with "depletion", you'd think about "high quality" versus "low quality" entropy, and the like. But these issues aren't just not important: they are mostly folkloric.
Generating a practically limitless stream of random bits isn't a hard cryptographic problem. It is an elementary problem. It's the problem that every stream encryption scheme solves. You can simply use stream encryption schemes, like stream ciphers or block ciphers and hashes in CTR mode, as CSPRNGs.
The problem we need to solve isn't upgrading the LRNG or getting everyone to use Schneier's favorite CSPRNG design (the section on this in Cryptography Engineering is one of the book's few warts). It's getting everyone to use the kernel RNG to the exclusion of all else. That's because those 3 problems I listed up there are easy to solve if you're using /dev/urandom (or the getrandom system call), but extremely tricky otherwise.
This manifests in issues like scalability: some patches were merged to (slightly) improve scalable performance of /dev/urandom...and these were phrased as "Sure, we can do this, because idiots might want that and it costs us little--but we should emphasize this sort of thing isn't an actual supported feature!"
The people who maintain /dev/urandom aren't stupid, but for some reason they really don't seem to get (or agree with at least) your argument. I'd really like to understand why; I don't.
(I am technically a linux developer--I work on the kernel we use internally, and have actual patches to my name upstream--but am not a deep part of the external community.)
Every software developer needs to print out this sentence and stick it above their kanban board (or equivalent).
https://sites.google.com/site/astudyofentropy/project-defini...
EDIT: Secondly
This "Furthermore, the flaw makes a part of the PRNG output completely predictable"
= Predict the random number generator no matter what it is seeded with.
Dear God.
On the plus side, these games have given the Russians near total access to all the important US systems, while they feed disinformation into their non hardened systems. So at least we can laugh at the irony.
https://blog.cr.yp.to/20140205-entropy.html
[1] It's been awhile since I researched this, but long ago, in a land far, far way, there was published a Usenix paper (IIRC) that carefully examined and estimated entropy from disk latencies. These figures were hardcoded into many entropy estimators, including the Linux kernel's, over many cycles of hard drive evolution. IOW, even assuming the paper accurately measured entropy of then-current hard drive technology, it was totally irrelevant over the subsequent decade (and maybe more) it was relied upon. No matter how conservatively you discounted the estimate, the baseline was effectively arbitrary in the context of newer technology. And AFAIK nobody even tried carefully re-validating the original paper. At best there was just more hand waving, fudging of constants, and equivocations of spinning rust.
Which is one reason why, IMHO, entropy estimation is a bad idea, especially when you allow it to dictate the design of your PRNG. It's fundamentally all a bunch of hand waving outside the context of purpose built RNG hardware, and even if you got it right, the next model of a product could destroy your proof. One of the designers of the new PRNG in the Linux kernel put a lot of effort into entropy estimation, including comprehensive software instrumentation to validate some of his assumptions. That's laudable work, but even if correct and accurate, unless you lock him in a room and feed him every new model of CPU, memory controller, disk controller, etc, coming out, it's not reliable.
From a security posture, you never want to make decisions based on the assumption that you're at least as clever as a hacker; that you thought of _all_ the corner cases that might be exploitable. That's what entropy estimation is--trying to discover all the hidden variables and then, when you've exhausted your patience, assuming there are no more, at least none your attacker is likely to discover.
Rather, like with ciphers, you want your proof to be capable of being distilled down to a small number of very clear variables and premises (e.g. key length, cipher construction), which you can then easily keep an eye on for evidence of invalidation. Entropy estimation is really far removed from that model of risk analysis.
You've got:
- Multiple "Random quality levels", defined as "weak random", "strong random", and "very strong random". How does a any CSPRNG sensibly differentiate?
- "Weak random" is described as for use in "all functions", with a specific list of exceptions. In other words, it's the default.
- A random function that doesn't "drain the precious entropy pool", which is described as producing "unpredictable bytes"
- A "secure" variant of the gcry_random_bytes function, which still takes a "level" as an input, including "weak"
If I picture myself as a developer using this, there's a horrible amount of options, and a feeling that every recommended option is a place I'm likely to make a fatal error.
[1] https://www.gnupg.org/documentation/manuals/gcrypt/Retrievin...
> Please note that this document makes no claims about the effect of the flaw on the security of generated keys or other artifacts.