On Wed, Jan 05, 2005 at 06:08:31PM -0500, Perry E. Metzger wrote: > Ian G <[EMAIL PROTECTED]> writes: > > While we're on the subject of /dev/[u]random, has anyone > > looked at the new FreeBSD 5.3 version? > > Not the 5.3 version but I have looked a bit at earlier versions. I was > pretty scared, frankly.
> FreeBSD has some other crypto toys that I'm dubious about. It now has > a crypto file system widget that uses a bunch of odd ad hoc modes > invented by the author. Some quick analysis shows that most of the > complexity they add does not add actual cryptographic strength and > does add possible attack vectors, which is worrisome. I keep poking you-know-who to write up his gbde criticisms properly :) > None of this should say that I'm entirely comfortable with the > security of, say, NetBSD's /dev/random. Even though I should have, > I've never properly audited the whole thing, which is more than mildly > embarrassing. Shades of the shoemaker's children and such. For all I > know, we've got big flaws, too. I'd be very happy for any review from this group, as I've said previously. I have idly considered replacing the urandom device with something like yarrow, re-seeded as appropriate from the random device. This would likely improve its speed, and (more importantly) reduce or eliminate the times that urandom readers cause random readers to block because the entropy estimator (however bogus) is low. Recommending that urandom (in whatever form) is strong without blocking and should be used ~always is one thing. Inverting the sense of random, for those few cases where someone decides they're prepared to block no matter what, as it seems FreeBSD has done, is another thing entirely. -- Dan.
Description: PGP signature