[nycbug-talk] FreeBSD abandoning hardware randomness

Brian Callahan bcallah at devio.us
Wed Dec 11 11:38:49 EST 2013


On 12/11/2013 9:37 AM, Isaac (.ike) Levy wrote:
>
> On December 10, 2013 09:12:40 PM EST, James E Keenan <jkeen at verizon.net>
> wrote:
>
>> Article here:
>>
>> http://www.theregister.co.uk/2013/12/09/freebsd_abandoning_hardware_randomness/
>>

Whoa. Before this gets way out of hand, let's take a step back and 
analyze what's really going on here.

No, FreeBSD is not abandoning hardware randomness. That's beyond 
irresponsible of a headline; not that one should consider The Register a 
bastion of journalistic integrity.

Read the quote: "...remove RDRAND and Padlock backends and feed them 
into Yarrow instead of delivering their output directly to /dev/random." 
So hardware randomness is still being used, it's just not being given 
directly to /dev/random, it has to go through Yarrow (a pseudorandom 
number algorithm/generator). And hey - if you really think using RDRAND 
directly is such a good thing, go for it, "...It will still be possible 
to access hardware random number generators, that is, RDRAND, Padlock 
etc., directly by inline assembly or by using OpenSSL from userland, if 
required ..."

Instead of giving the nod to FreeBSD for actually taking steps towards a 
good thing here, we're seeing nonsense articles like this from people 
who don't understand cryptography.

Yes, cryptography is hard and a lot of people don't understand it. Don't 
believe the sensationalism.

~Brian

>
> This made the rounds in ARS yesterday too,
> http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/
>
>
> --
> While it's all on our mind, here's an excellent old article detailing
> random facilities, focused on practical use of OpenBSD and FreeBSD,
> https://calomel.org/entropy_random_number_generators.html
>

PS - don't link to calomel. That guy has no idea what he's talking 
about. Read his "Package Find using pkg_find" "tutorial" for a good laugh.




More information about the talk mailing list