arc4random weakness (was: WikiLeaks CIA Exploits: FreeBSD References Within)

Steven Chamberlain steven at pyro.eu.org
Mon Mar 13 22:06:49 UTC 2017


From this document (TOP SECRET//SI//NOFORN):
https://wikileaks.org/ciav7p1/cms/files/NOD%20Cryptographic%20Requirements%20v1.1%20TOP%20SECRET.pdf

version 1.0 said:

| 8. (S//NF) [...] If RC4 is used, at least the first 1024
| bytes of the cryptostream must be discarded and may not be used

and that is exactly what FreeBSD's libc and in-kernel arc4random
implementations do.

version 1.1 received input from another agency:

| (C//SI//REL FVEY) Coordinated with NSA/CES.

and a new requirement was introduced:

| (TS//SI) 5.9: Added additional information about proper use of RC4.

| 9. (TS//SI) Further than stated above, if RC4 is used the first 3072
| bytes of the cryptostream must be discarded and may not be used.

I think you should take that to mean, the NSA has, or suspects someone
else to have, a practical attack on RC4 when being used as FreeBSD does
currently.  The document seems 4-5 years old already as it prohibits use
of RC4 at all from 2014 onward.

Please consider switching to ChaCha20 in the long term (kern/182610),
but right now, at least increase the amount of early keystream that is
discarded.

Many thanks,
Regards,
-- 
Steven Chamberlain
steven at pyro.eu.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: arc4random.patch
Type: text/x-diff
Size: 1138 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170313/aab8cd51/attachment.patch>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 648 bytes
Desc: Digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-security/attachments/20170313/aab8cd51/attachment.sig>


More information about the freebsd-security mailing list