[PATCH v10 9/9] manual: Add documentation for arc4random functions
Adhemerval Zanella Netto
adhemerval.zanella@linaro.org
Thu Jul 14 21:01:48 GMT 2022
On 14/07/22 16:40, Cristian Rodríguez wrote:
> On Thu, Jul 14, 2022 at 7:31 AM Adhemerval Zanella via Libc-alpha
> <libc-alpha@sourceware.org> wrote:
>>
>> From: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
>>
>> ---
>> manual/math.texi | 46 ++++++++++++++++++++++++++++++++++++++++++++++
>> 1 file changed, 46 insertions(+)
>>
>> diff --git a/manual/math.texi b/manual/math.texi
>> index 477a18b6d1..141695cc30 100644
>
>> +Although these functions provide higher random quality than ISO, BSD, and
>> +SVID functions, these still use a Pseudo-Random generator and should not
>> +be used in cryptographic contexts.
>>
>
> Huh.. then we have a problem.. for all other systems that implement
> arc4random.. they claim it is a CSPRNG.. this paragraph says
> otherwise...
> code assumes arc4random is a CSPRNG.. suitable for cryptography..
> that's a pretty big difference...
OpenBSD manual is in fact not clear [1] and FreeBSD has the same description
as OpenBSD [2]:
"High quality 32-bit pseudo-random numbers are generated very quickly.
On each call, a cryptographic pseudo-random number generator is used
to generate a new result."
MacOS in the other hand does describe its implementation as CSPRNG,
from man 'arc4random':
"These functions use a cryptographic pseudo-random number generator to
generate high quality random bytes very quickly."
And has a specific note:
"The original version of this random number generator used the RC4
(also known as ARC4) algorithm. In OS X 10.12 it was replaced with the
NIST-approved AES cipher, and it may be replaced again in the future as
cryptographic techniques advance. A good mnemonic is “A Replacement
Call for Random”.
However for either BSD and MacOS, only the initial and subsequent rekey
are done with kernel entropy. So similar to this proposal, the buffer
stream up to the certain limit can be derived if you know the original
kernel entropy used to initialize it.
I think in practice the approach of this patchset is similar to what
BSD and MacOS does (the only difference is we are doing per-thread
buffer instead of a global state). I am not sure we can actually assert
this approach generates CSPRNG output, in fact neither the the BSD or
MacOS.
[1] https://github.com/libressl-portable/openbsd/blob/master/src/lib/libc/crypt/arc4random.3
[2] https://www.freebsd.org/cgi/man.cgi?query=arc4random
More information about the Libc-alpha
mailing list