Subject: Re: arc4random(9)
To: None <itojun@iijlab.net>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-kern
Date: 05/28/2002 11:57:08
On Tue, May 28, 2002 at 06:23:05PM +0900, itojun@iijlab.net wrote:
> i would really like to have arc4random(9) in libkern, both for
> easy access to better random number source, as well as source code
> compatibility with other *BSD (OpenBSD and FreeBSD already have one).
> any objections/comments?
I'm concerned that we seem to be adding poorly-considered cryptographic
APIs simply because other operating systems have done so. I don't think
cryptography is a good place to try to "keep up with the Joneses". There
are a number of well-studied cryptographic PRNG designs, but this is
decidedly *not* one of them.
In fact, if we put this in our kernel, and use it, it will effectively
prevent NetBSD systems from achieving ANSI X.9 or FIPS 140 certification,
because only certain software generators are permitted and this isn't one
of them (for good reason!).
The right thing to do is probably to rip out the current /dev/urandom
generator (which has several documented flaws) and replace it with the
simple block-cipher feedback generator from X9.31, periodically rekeyed
from the current hardware randomness pool. I don't think there's any
reason such a generator could not provide an API compatible with
arc4random().
To be blunt, providing a PRNG of dubious quality is dangerous and
irresponsible. We should have chosen the design more carefully before
we added the one we have (of course, so should the other people who
use related generators -- pretty much everyone), and we certainly should
not add another one which isn't better just because some other folks did.
--
Thor Lancelot Simon tls@rek.tjls.com
But as he knew no bad language, he had called him all the names of common
objects that he could think of, and had screamed: "You lamp! You towel! You
plate!" and so on. --Sigmund Freud