This post was updated on December 16 to make it clear that for most of FreeBSD’s history, it was not possible to use RDRAND and Padlock as the only source of random numbers fed to the /dev/random engine.
The developers of the FreeBSD operating system will continue to prevent users from relying on products manufactured by Intel and Via Technologies as the only source of random numbers needed to generate cryptographic keys that cannot be easily cracked by government spies and other enemies.
That decision, which will be effective in the upcoming FreeBSD version 10.0, comes three months after classified documents leaked by former National Security Agency (NSA) contractor Edward Snowden said the US spy agency had access to to determine large areas of encrypted Internet traffic. Among other ways, The New York TimesPro Publica, and The Guardian reported in September, the NSA and its British partner defeated encryption technologies by working with developers to insert backdoors, or cryptographic weaknesses, in their products.
The disclosures play a role in the decision for FreeBSD to continue restricting the use of hardware-based random number generators to seed data used to ensure that cryptographic systems cannot be easily broken by adversaries. In particular, “RDRAND” and “Padlock” — the RNGs provided by Intel and Via respectively — will not be the resources that FreeBSD uses to feed random numbers directly into the /dev/random machine used to generate random data. in Unix-based systems. Instead — and it has been the case for most of FreeBSD’s history — it will be possible to apply random production of RDRAND and Padlock to the /dev/ID seed only after it has been passed through a separate RNG algorithm known as “YarrowYarrow, in turn, will add further entropy to the data to ensure intentional backlogs, or unpatched vulnerabilities, in hardware developers cannot be used by adversaries to predict their output.
“For 10, we will back up and remove the RDRAND and Padlock backends and feed them into Yarrow instead of delivering their output directly to /dev/ID,” the FreeBSD developers said in meeting minutes from earlier this year. “It will still be possible to access the hardware ID number generators, that is, RDRAND, Padlock etc., directly through the inline assembly or by using OpenSSL from the user interface, if needed, but we can no longer trust them.”
Inside separate meeting minutesProducers specifically mentioned Snowden’s name when discussing the decision.
“Edward Snowdon (sic) – v. high probability of backdoors in some (HW) RNGs,” the notes read, referring to hardware RNGs. Then, referring to the Dual EC_DRBG RNG produced by the National Institute of Standards and Technology and said to have an NSA backend, the notes read: “With the elliptic generator of the generator that is in the NIST. rdrand in ivbridge is not made by Intel… Can’t trust HW RNGs to provide good entropy directly. (rdrand built in microcode. Intel will add opcode to go directly to HW.) This means partial change of some functions on rdrand and padlock.”
The meetings come shortly after a FreeBSD patch released by a third party in July gave users the ability to use RDRAND and Padlock as direct sources of ID. The update was done without proper review and against established policy, and in the next few weeks all or part of it will be removed and redone FreeBSD Security Dag-Erling Smørgrav told Ars. The change was finally withdrawn altogether in October. Apart from a brief period earlier this year, no FreeBSD release has ever shipped with the option to feed the bit stream from the application nickname generator directly to /dev/ID, Smørgrav said.
Smørgrav went on to say that some industry users have expressed a long-standing desire that FreeBSD allows them to process raw feeds from RDRAND, because the underlying algorithm is listed as an RNG certified decision maker under FIPS 140 standard defense contractors and other government officials are required to follow. Using a few lines of code, FreeBSD users can use RDRAND directly in the userland rather than using the kernel to feed them directly.
“What it boils down to is that we won’t stand in the way of FreeBSD users who want to use these HWRNGs, but neither will we endorse them, and we think that providing a kernel interface would be a perfect endorsement of background material,” Smørgrav wrote in an email.
RNGs are one of the most important elements in any secure cryptographic system. They are akin to dice shakers used in board games that ensure the full range of random numbers in each roll. If adversaries can reduce the amount of entropy an RNG generates or develop a way to predict some of its results, they can often develop ways to extract the keys needed to write an otherwise unreadable message. A vulnerability in the /dev/unexpected mechanism found in Google’s Android operating system, for example, was the root cause of a serious exploit that recently allowed thieves to pilfer bitcoins from a user’s digital wallet. RDRAND is a random data source provided by Ivy Bridge and later versions of Intel processors. Padlock seeds random data in chips made by Via.
While the FreeBSD developers have been discussing their disbelief at the allegations of backdoors raised in the documents leaked by Snowden, the move is a good idea even if those vulnerabilities don’t come to light. Adding additional sources of randomness to RDRAND, Padlock, and other RNGs will not reduce their entropy and may cause the keys they help generate to crack. Relying on multiple sources of randomness is good practice and likely could have helped avoid the crippling vulnerabilities recently discovered in Taiwan’s secure digital ID system.