Speed and security of /dev/urandom
RW
rwmaillists at googlemail.com
Fri Jul 18 22:10:59 UTC 2014
On Fri, 18 Jul 2014 21:06:31 +0100
Steven Chamberlain wrote:
> *If* getpid involves a syscall on every arc4random_buf call, that is
> going to already going to limit its performance? Would it really be
> any slower to just return random bytes from the kernel, with the
> KERN_ARND sysctl?
I think KERN_ARND uses the kernel version of arc4random rather than
Yarrow - unless something changed.
> The overhead of currently having to initially and
> periodically seed RC4, discard the early keystream, and apply that
> cipher thereafter, would be gone. The risk of the problem described
> above, or of weaknesses in RC4, or implementation issues with
> arc4random's PRNG seeding are also gone.
The RANDOM kernel module may not be present, particularly in a
stripped-down embedded kernel. In that case yarrow isn't present in the
kernel, and kernel arc4random isn't securely seeded. An application may
then securely seed userland arc4random via arc4random_addrandom().
Supporting that requires at least the possibility to fall back to a
userland PRNG.
More information about the freebsd-security
mailing list