NetBSD: RNG Bug May Result in Weak Cryptographic Keys #sameold #sameold

Due to a misplaced parenthesis, if insufficient GOOD bits were available to satisfy a request, the keying/rekeying code requested either 32 or 64 ANY bits, rather than the balance of bits required to key the stream generator.

The result of this bug is that even after the minimum entropy threshold was reached, the generators for in-kernel and userspace consumers could in the worst case be keyed, or re-keyed, with as few as 32 bits (on 32 bit platforms) or 64 bits (on 64 bit platforms) of data, plus a 32-bit cycle counter value, plus the name of the generator (an LWP ID for userspace, a fixed string for kernel consumers), plus stack noise for the remainder.

Systems which never experience an “insufficient entropy” condition (for example, systems with hardware random number generators supported by NetBSD) are not impacted by this bug.

All cryptographic keys generated on NetBSD 6 or NetBSD-current (prior to 2013-01-27) systems should be regenerated, unless it is certain that the system in question cannot have suffered a low-entropy condition when the keys were generated.

via .

One thought on “NetBSD: RNG Bug May Result in Weak Cryptographic Keys #sameold #sameold

  1. Dave Walker

    Just goes to show how astonishingly hard the problem of testing randomness is. It would be interesting to see some notes on comparative classes of crypto bug, by frequency and functionality; I’d lay good odds on RNGs being up at the top of the list.

    Reply

Leave a Reply