[src/trunk]: src/lib/libc/gen Ruminate on security model choices and API desi...

[riastradh <riastradh%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/9e811a44fff6
branches:  trunk
changeset: 333808:9e811a44fff6
user:      riastradh <riastradh%NetBSD.org@localhost>
date:      Mon Nov 17 07:11:00 2014 +0000

description:
Ruminate on security model choices and API design in arc4random(3).

diffstat:

 lib/libc/gen/arc4random.3 |  38 +++++++++++++++++++++++++++++++++++++-
 1 files changed, 37 insertions(+), 1 deletions(-)

diffs (49 lines):

diff -r ef3a96479c49 -r 9e811a44fff6 lib/libc/gen/arc4random.3
--- a/lib/libc/gen/arc4random.3 Mon Nov 17 06:37:23 2014 +0000
+++ b/lib/libc/gen/arc4random.3 Mon Nov 17 07:11:00 2014 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: arc4random.3,v 1.12 2014/11/17 06:37:23 riastradh Exp $
+.\"    $NetBSD: arc4random.3,v 1.13 2014/11/17 07:11:00 riastradh Exp $
 .\"
 .\" Copyright (c) 2014 The NetBSD Foundation, Inc.
 .\" All rights reserved.
@@ -259,3 +259,39 @@
 .Fn arc4random_uniform
 does not help to choose integers in [0, n) uniformly at random when n >
 2^32.
+.Pp
+The security model of
+.Nm
+is stronger than many applications need, and stronger than other
+operating systems provide.
+For example, applications encrypting messages with random, but not
+secret, initialization vectors need only prevent an adversary from
+guessing future outputs, since past outputs will have been published
+already.
+.Pp
+On the one hand,
+.Nm
+could be marginally faster if it were not necessary to prevent an
+adversary who sees the state from predicting past outputs.
+On the other hand, there are applications in the wild that use
+.Nm
+to generate key material, such as OpenSSH, so for the sake of
+.Nx
+users it would be imprudent to weaken the security model.
+On the third hand, relying on the security model of
+.Nm
+in
+.Nx
+may lead you to an unpleasant surprise on another operating system
+whose implementation of
+.Nm
+has a weaker security model.
+.Pp
+One may be tempted to create new APIs to accommodate different
+security models and performance constraints without unpleasant
+surprises on different operating systems.
+This should not be done lightly, though, because there are already too
+many different choices, and too many opportunities for programmers to
+reach for one and pick the wrong one, leading to money being stolen
+and people being killed if they err on the side of faster code with a
+weaker security model.