Module Name:src
Committed By: bouyer
Date: Thu Dec 5 16:23:23 UTC 2019
Modified Files:
src/share/man/man4 [netbsd-7-0]: rnd.4
Log Message:
Pull up following revision(s) (requested by riastradh in ticket #1715):
share/man/man4/rnd.4: revision 1.26
share/man/man4/rnd.4: revision 1.27
share/man/man4/rnd.4: revision 1.28
share/man/man4/rnd.4: revision 1.25
Update man page to reflect switch from CTR_DRBG to Hash_DRBG.
Replace slightly wrong rant by shorter and slightly less long rant.
(If X and Y in Z/2Z are independent, then so are X and X+Y. What was
I thinking.)
Update NIST SP800-90A reference.
New sentence, new line. Use \(em.
To generate a diff of this commit:
cvs rdiff -u -r1.20.10.1 -r1.20.10.1.2.1 src/share/man/man4/rnd.4
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: src/share/man/man4/rnd.4
diff -u src/share/man/man4/rnd.4:1.20.10.1 src/share/man/man4/rnd.4:1.20.10.1.2.1
--- src/share/man/man4/rnd.4:1.20.10.1 Wed Mar 18 07:54:26 2015
+++ src/share/man/man4/rnd.4 Thu Dec 5 16:23:22 2019
@@ -1,4 +1,4 @@
-.\" $NetBSD: rnd.4,v 1.20.10.1 2015/03/18 07:54:26 snj Exp $
+.\" $NetBSD: rnd.4,v 1.20.10.1.2.1 2019/12/05 16:23:22 bouyer Exp $
.\"
.\" Copyright (c) 2014 The NetBSD Foundation, Inc.
.\" All rights reserved.
@@ -27,7 +27,7 @@
.\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
.\" POSSIBILITY OF SUCH DAMAGE.
.\"
-.Dd November 16, 2014
+.Dd September 3, 2019
.Dt RND 4
.Os
.Sh NAME
@@ -187,8 +187,8 @@ quantum computers.
Systems with nonvolatile storage should store a secret from
.Pa /dev/urandom
on disk during installation or shutdown, and feed it back during boot,
-so that the work the operating system has done to gather entropy --
-including the work its operator may have done to flip a coin! -- can be
+so that the work the operating system has done to gather entropy \(em
+including the work its operator may have done to flip a coin! \(em can be
saved from one boot to the next, and so that newly installed systems
are not vulnerable to generating cryptographic keys predictably.
.Pp
@@ -205,7 +205,7 @@ in
see
.Xr rc.conf 5 .
.Sh LIMITATIONS
-Some people worry about recovery from state compromise -- that is,
+Some people worry about recovery from state compromise \(em that is,
ensuring that even if an attacker sees the entire state of the
operating system, then the attacker will be unable to predict any new
future outputs as long as the operating system gathers fresh entropy
@@ -404,9 +404,9 @@ When a user process opens
or
.Pa /dev/urandom
and first reads from it, the kernel draws from the entropy pool to seed
-a cryptographic pseudorandom number generator, the NIST CTR_DRBG
-(counter-mode deterministic random bit generator) with AES-128 as the
-block cipher, and uses that to generate data.
+a cryptographic pseudorandom number generator, the NIST Hash_DRBG
+(hash-based deterministic random bit generator) with SHA-256 as the
+hash function, and uses that to generate data.
.Pp
To draw a seed from the entropy pool, the kernel
.Bl -bullet -offset abcd -compact
@@ -489,10 +489,10 @@ Never blocks.
.%A Elaine Barker
.%A John Kelsey
.%T Recommendation for Random Number Generation Using Deterministic Random Bit Generators
-.%D January 2012
+.%D June 2015
.%I National Institute of Standards and Technology
-.%O NIST Special Publication 800-90A
-.%U http://csrc.nist.gov/publications/nistpubs/800-90A/SP800-90A.pdf
+.%O NIST Special Publication 800-90A, Revision 1
+.%U https://csrc.nist.gov/publications/detail/sp/800-90a/rev-1/final
.Re
.Rs
.%A Daniel J. Bernstein
@@ -551,59 +551,33 @@ Unfortunately, no amount of software eng
.Sh ENTROPY ACCOUNTING
The entropy accounting described here is not grounded in any
cryptography theory.
-It is done because it was always done, and because it gives people a
-warm fuzzy feeling about information theory.
+.Sq Entropy estimation
+doesn't mean much: the kernel hypothesizes an extremely simple-minded
+parametric model for all entropy sources which bears little relation to
+any physical processes, implicitly fits parameters from data, and
+accounts for the entropy of the fitted model.
.Pp
-The folklore is that every
-.Fa n Ns -bit
-output of
-.Fa /dev/random
-is not merely indistinguishable from uniform random to a
-computationally bounded attacker, but information-theoretically is
-independent and has
-.Fa n
-bits of entropy even to a computationally
-.Em unbounded
-attacker -- that is, an attacker who can recover AES keys, compute
-SHA-1 preimages, etc.
-This property is not provided, nor was it ever provided in any
-implementation of
-.Fa /dev/random
-known to the author.
-.Pp
-This property would require that, after each read, the system discard
-all measurements from hardware in the entropy pool and begin anew.
-All work done to make the system unpredictable would
