[nycbug-talk] FreeBSD abandoning hardware randomness
Brian Callahan
bcallah at devio.us
Wed Dec 11 11:38:49 EST 2013
On 12/11/2013 9:37 AM, Isaac (.ike) Levy wrote:
>
> On December 10, 2013 09:12:40 PM EST, James E Keenan <jkeen at verizon.net>
> wrote:
>
>> Article here:
>>
>> http://www.theregister.co.uk/2013/12/09/freebsd_abandoning_hardware_randomness/
>>
Whoa. Before this gets way out of hand, let's take a step back and
analyze what's really going on here.
No, FreeBSD is not abandoning hardware randomness. That's beyond
irresponsible of a headline; not that one should consider The Register a
bastion of journalistic integrity.
Read the quote: "...remove RDRAND and Padlock backends and feed them
into Yarrow instead of delivering their output directly to /dev/random."
So hardware randomness is still being used, it's just not being given
directly to /dev/random, it has to go through Yarrow (a pseudorandom
number algorithm/generator). And hey - if you really think using RDRAND
directly is such a good thing, go for it, "...It will still be possible
to access hardware random number generators, that is, RDRAND, Padlock
etc., directly by inline assembly or by using OpenSSL from userland, if
required ..."
Instead of giving the nod to FreeBSD for actually taking steps towards a
good thing here, we're seeing nonsense articles like this from people
who don't understand cryptography.
Yes, cryptography is hard and a lot of people don't understand it. Don't
believe the sensationalism.
~Brian
>
> This made the rounds in ARS yesterday too,
> http://arstechnica.com/security/2013/12/we-cannot-trust-intel-and-vias-chip-based-crypto-freebsd-developers-say/
>
>
> --
> While it's all on our mind, here's an excellent old article detailing
> random facilities, focused on practical use of OpenBSD and FreeBSD,
> https://calomel.org/entropy_random_number_generators.html
>
PS - don't link to calomel. That guy has no idea what he's talking
about. Read his "Package Find using pkg_find" "tutorial" for a good laugh.
More information about the talk
mailing list