Steven Chamberlain
2017-Mar-13 22:06 UTC
arc4random weakness (was: WikiLeaks CIA Exploits: FreeBSD References Within)
From this document (TOP SECRET//SI//NOFORN): https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf version 1.0 said: | 8. (S//NF) [...] If RC4 is used, at least the first 1024 | bytes of the cryptostream must be discarded and may not be used and that is exactly what FreeBSD's libc and in-kernel arc4random implementations do. version 1.1 received input from another agency: | (C//SI//REL FVEY) Coordinated with NSA/CES. and a new requirement was introduced: | (TS//SI) 5.9: Added additional information about proper use of RC4. | 9. (TS//SI) Further than stated above, if RC4 is used the first 3072 | bytes of the cryptostream must be discarded and may not be used. I think you should take that to mean, the NSA has, or suspects someone else to have, a practical attack on RC4 when being used as FreeBSD does currently. The document seems 4-5 years old already as it prohibits use of RC4 at all from 2014 onward. Please consider switching to ChaCha20 in the long term (kern/182610), but right now, at least increase the amount of early keystream that is discarded. Many thanks, Regards, -- Steven Chamberlain steven at pyro.eu.org -------------- next part -------------- A non-text attachment was scrubbed... Name: arc4random.patch Type: text/x-diff Size: 1138 bytes Desc: not available URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170313/aab8cd51/attachment.patch> -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: Digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170313/aab8cd51/attachment.sig>
Dewayne Geraghty
2017-Mar-14 02:03 UTC
arc4random weakness (was: WikiLeaks CIA Exploits: FreeBSD References Within)
On 14 March 2017 at 09:06, Steven Chamberlain <steven at pyro.eu.org> wrote:> From this document (TOP SECRET//SI//NOFORN): > https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic% > 20Requirements%20v1.1%20TOP%20SECRET.pdf > > version 1.0 said: > > | 8. (S//NF) [...] If RC4 is used, at least the first 1024 > | bytes of the cryptostream must be discarded and may not be used > > and that is exactly what FreeBSD's libc and in-kernel arc4random > implementations do. > > version 1.1 received input from another agency: > > | (C//SI//REL FVEY) Coordinated with NSA/CES. > > and a new requirement was introduced: > > | (TS//SI) 5.9: Added additional information about proper use of RC4. > > | 9. (TS//SI) Further than stated above, if RC4 is used the first 3072 > | bytes of the cryptostream must be discarded and may not be used. > > I think you should take that to mean, the NSA has, or suspects someone > else to have, a practical attack on RC4 when being used as FreeBSD does > currently. The document seems 4-5 years old already as it prohibits use > of RC4 at all from 2014 onward. > > Please consider switching to ChaCha20 in the long term (kern/182610), > but right now, at least increase the amount of early keystream that is > discarded. > > Many thanks, > Regards, > -- > Steven Chamberlain > steven at pyro.eu.org >Thanks Steven. I wasn't aware that OpenBSD was 3.5+ years ahead of the curve in terms of securing against RC4 weaknesses, compared to FreeBSD. Perhaps they have access to a mole ;) The pointer to https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=182610 probably needs a push along. (or a local patch, which mostly applied to /usr/src/lib/libc/gen/arc4random.c ; 2 of 13 hunks need a manual adjustment)
Steven Chamberlain wrote:> Please consider switching to ChaCha20 in the long term (kern/182610), > but right now, at least increase the amount of early keystream that is > discarded.Many, many thanks delphij+so for applying the latter change so quickly! Also it is great to see INHERIT_ZERO was added to mmap(2)! (It will avoid the overhead of a getpid(2) syscall on every call to arc4random_buf(3) to determine if reseeding is needed. That wasn't guaranteed reliable anyway; if you have forked twice, then by chance/manipulation the new pid *could* be the same as the ancestor's). Thanks! Regards, -- Steven Chamberlain steven at pyro.eu.org -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 648 bytes Desc: Digital signature URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170315/831271b3/attachment.sig>