FreeBSD won't use Intel & Via's hardware random number generators, believes NSA has compromised them

The maintainers of the security-conscious FreeBSD operating system have declared that they will no longer rely on the random number generators in Intel and Via's chips, on the grounds that the NSA likely has weakened these opaque hardware systems in order to ease surveillance. The decision is tied to the revelations of the BULLRUN/EDGEHILL programs, wherein the NSA and GCHQ spend $250M/year sabotaging security in standards, operating systems, software, and networks.

"For 10, we are going to backtrack and remove RDRAND and Padlock backends and feed them into Yarrow instead of delivering their output directly to /dev/random," FreeBSD developers said. "It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them any more."

In separate meeting minutes, developers specifically invoked Snowden's name when discussing the change.

"Edward Snowdon [sic] -- v. high probability of backdoors in some (HW) RNGs," the notes read, referring to hardware RNGs. Then, alluding to the Dual EC_DRBG RNG forged by the National Institute of Standards and Technology and said to contain an NSA-engineered backdoor, the notes read: "Including elliptic curve generator included in NIST. rdrand in ivbridge not implemented by Intel... Cannot trust HW RNGs to provide good entropy directly. (rdrand implemented in microcode. Intel will add opcode to go directly to HW.) This means partial revert of some work on rdrand and padlock."

“We cannot trust” Intel and Via’s chip-based crypto, FreeBSD developers say [Dan Goodin/Ars Technica]

Notable Replies

  1. We used to call this behavior paranoid. Now it's called prudent.

  2. But most random number generators are only pseudo-random anyway. Even if they're not deliberately compromised, they still can't be trusted. I see a market for a radium sample in a tiny USB device.

  3. I understand some Mexican folks had some radioactive stuff to se...oh, wait, that's funny they were online just the other day...

  4. Also obligatory,

  5. In my previous career as an MMO developer, the kinds of complaints I heard about RNGs were:

    -- we need a deterministically reproducible series of pseudo-random numbers.
    -- the Mersenne Twister algorithm you used to give us a deterministically reproducible series of pseudo-random numbers is too slow.
    -- claims based on anecdote, a poor understanding of statistics, and lack of realization that the RNG is doing far more than just your loot rolls.

    I wish I could throw this into that third category. Unfortunately these days you can attribute things to malice that should have been mere stupidity.

    "Security" is really kind of the opposite of what the NSA does.

Continue the discussion bbs.boingboing.net

12 more replies

Participants