OpenBSD Will Not Fix PRNG Weakness

snake-oil-security writes "Last fall Amit Klein found a serious weakness in the OpenBSD PRNG (pseudo-random number generator), which allows an attacker to predict the next DNS transaction ID. The same flavor of this PRNG is used in other places like the OpenBSD kernel network stack. Several other BSD operating systems copied the OpenBSD code for their own PRNG, so they're vulnerable too; Apple's Darwin-based Mac OS X and Mac OS X Server, and also NetBSD, FreeBSD, and DragonFlyBSD. All the above-mentioned vendors were contacted in November 2007. FreeBSD, NetBSD, and DragonFlyBSD committed a fix to their respective source code trees, Apple refused to provide any schedule for a fix, but OpenBSD decided not to fix it. OpenBSD's coordinator stated, in an email, that OpenBSD is completely uninterested in the problem and that the problem is completely irrelevant in the real world. This was highlighted recently when Amit Klein posted to the BugTraq list."

OpenBSD secure?!

[darkob]

This most certainly WILL have impact on OpenBSD's status as "secure" OS. Indeed, OpenBSD claims to have "proactive" approach towards security whereas this issue should and will diminish some of the OpenBSD's "security goodwill".

Re:Uh what ... yeah

[teh kurisu]

If BSD used the GPL, then Apple still wouldn't be providing a fix, because they wouldn't be using OSS at all. Neither licence is better than the other in this regard.

I don't agree with the trolling from either camp. The licence you release your code under is a matter of personal choice.

Re:Uh what

[Zeinfeld]

Is the summary just supposed to be as shocking as possible? How about some details on why specifically they decided not to patch it?

It is entirely believable to me. Back in 1995 I told Marc Andressen at Netscape that he had a serious problem with the random number generator used to choose session keys for SSL. There was simply not enough randomness going in for there to be 128 bits going out.

Marc had every reason to listen to me, I had broken SSL 1.0 in ten minutes when he tried to demonstrate it at MIT. But it took several weeks to drill the problem into his thick skull.

So they eventually asked me for a description of how to do the thing right.

A year later the exact same bug was discovered independently. By this time they had hired some competent crypto people. I spoke to Taher about the problem later and his explanation was that they found the design note on the PRNG which was so comprehensive that they didn't think it necessary to check the actual code.

Re: Uh what

[Anonymous Coward]

What if the router is OpenBSD?

Re:Uh what ... yeah

[cloricus]

Because that is why they aren't using webkit, apache, samba, cups (or employ the guy who writes it), and several others in their default install.

While I would agree with you on the matter of trolling it really gets old when BSD users trumpet it constantly where-as in my experience GPL supporters tend to realise there are limitations. Of course I'm sure it is seen the same way across the bridge.

Re:Uh what ... yeah

[Richard_at_work]

Webkit is LGPL, Apache is under the Apache license, Samba is under the GPL and CUPS (sourcecode copyright, company name and other tangibles) was purchased by Apple a year ago this month (as well as hiring the main developer).

Out of the four items you mention, only one is GPL. You could have done much better to suggest such examples as GCC et al.

The great thing about the BSD license, is that when people do contribute back (and they do, even big companies like Apple), you know its because they *want* to, not because they *have* to.

Re:then exploit it (if you can)

[argiedot]

Or by using radiation (If I remember high school science): http://www.blackcatsystems.com/GM/random.html [blackcatsystems.com]

Re:How many people actually use PRNG?

[ivan256]

Where do you think the data for /dev/urandom comes from? It's a pseudo-random number generator unless you've got a hardware random number generator, but even that probably uses a pseudo-random algorithm.

Theo is slow to change, but he will.

[argent]

Theo has refused to implement other 'foreign' security changes in OpenBSD when they were first introduced, then turned around and implemented them after a while. He was contemptuous towards non-execute stacks when I spoke with him at Usenix many years ago, because he was convinced OpenBSD's code review policy made it irrelevant and because no-execute didn't stop all stack smashing attacks... but OpenBSD eventually picked it up.

Basically, he's very conservative, very resistant to change, and don't forget that's one of the things that made OpenBSD what it was to begin with... but if it really matters he'll come around.

Software freedom is better when its inalienable.

[jbn-o]

So, in other words, the grandparent poster's point is valid and the larger more important issue remains: proprietary derivatives of non-copylefted free software uses the free software community as a market instead of treating us as equals.

The great thing about the BSD license, is that when people do contribute back (and they do, even big companies like Apple), you know its because they *want* to, not because they *have* to.

Nobody "has" to under the GPL; to the degree that what you said is true, the same is true of the GPL. Statements like yours ignore all the choices that lead up to distributing source code. There's nothing in the GPL that compels conveyance. There are only conditions in the GPL that compel source code conveyance with object code conveyance. It's trivially easy to not improve GPL-covered software or not distribute the improved version. The larger issue here is whether the free software community owes Apple anything. We don't. If they want to join us and work with us, great, if not they can write their own software. The GPL helps ensure that when people and organizations convey copies of programs they do so as equals. NeXT (now owned by Apple) already tried distributing GCC derivative software without distributing complete corresponding source code when GCC was under GPLv2. It made NeXT look like an ass and put them at risk of being able to distribute GCC at all. NeXT later rectified the situation by distributing complete corresponding source code in compliance with GPLv2.

Unless it's Affero GPL3

[Anonymous Coward]

Which is why they made it.

Odd that.

Oh, and if it was BSD, they still wouldn't have to give out the code changes.

The reason why Google may want to is so that they don't have to keep putting the change back in (or check that something else changed in a new version breaks what they did).

Your point is true, but pointless.

Unless you wanted to do something down because you don't like it.

Re:then exploit it (if you can)

[maxwell demon]

Well, let me try to explain.

Imagine a spin-1/2-particle (e.g. an electron). Such a particle has the peculiar property that if you measure its spin along any chosen axis, you'll always get either 1/2 ("spin up") or -1/2 ("spin down").

OK, let's assume we have just measures the spin in z direction and got +1/2. Let me first note that this is stable: If we measure the z-spin of the same particle again (assuming it didn't interact in between), we will again get +1/2 each time. That is, once we measures +1/2 in z direction, every subsequent measurement will confirm that result (this may seem trivial, but it will be important further down).

Now we want to know: What is the spin in x direction? Well, it can neither be 1/2 nor -1/2, because we've "used up" all of the spin for the z direction. OTOH +1/2 and -1/2 are the only allowed values; 0 is not a possible value.

But then, if we want to know the spin in x direction, after all we can just measure it. If we do so, we indeed find either +1/2 or -1/2, and never anything else. Moreover, we find that in half of the cases we get +1/2, and in the other half we get 1/2, so on average the x spin indeed is zero, but for each single measurement we get either +1/2 or -1/2. And that value also turns out to be stable: If we repeat the x-spin measurement, we get the same value again.

Well, now we could say, maybe we just got all wrong about spin, and in truth electrons have separately an x spin of +1/2 and -1/2 and a z spin of +1/2 or -1/2 (and the same for any other direction), and what we've found is just that half of our electrons are electrons with "+" spin in one direction, and "-" spin in the other. Now, let us test that hypothesis.

We now only look at electrons which were found to have spin +1/2 in z-direction, and subsequently found spin +1/2 in x direction. OK, if the above hypothesis holds, if we now again measure in z-direction, we should again confirm the value +1/2, because after all, that value is stable, right? Well, what we find is that only in half of the cases we find z-spin +1/2, but in the other half we find z-spin -1/2! So somehow by measuring the x-spin, we destroyed the value for the z-spin.

Indeed, by measuring the spin value in one direction, we destroy the spin value for any other direction. The latest measurement destroys all information gained through previous measurements, so that if we know what we measured last (i.e. both the direction we measured in, and the measurement result), we know everything we can know about the spin. The results of previous measurements don't add any knowledge about future measurements. If we measured +1/2 on one measurement, the probability to get +1/2 on another measurement depends only on the angle of our new measurement direction to the previous measurement (and the same of course for -1/2). The smaller the angle, the more probable is it top get the same result for the new direction (measuring again in exactly the same direction reliably gives the same result again, as noted above). If we measure in a direction perpendicular, the results are completely uncorrelated to the previous measurement result; we get just +1/2 or -1/2 with 50% probability each.

So measurement obviously destroys whatever state the electron spin had before, and establishes a new state according to the result we got.

Re:Strike 2, OpenBSD.

[styrotech]

First they refused to implement WPA

From my impression that is an overstatement. OpenBSD will get WPA when someone writes it well enough for it to get in. Although the current devs don't want to write it themselves (as they don't feel they need it), they have left the door open for someone else to write it.

"doesn't provide real security" and "just use IPSEC" aren't reasons why it won't get in at all but reasons why that particular developer(s) isn't going to bother writing it themselves. OpenBSD is probably the ultimate "scratch your own itch" and "talk is cheap, show me the code" project. So far WPA hasn't made anyone in the OpenBSD community itchy enough. After all WEP still got in even though it is far less secure than WPA2 - someone wanted it enough to write it.

Re:Strike 2, OpenBSD.

[Breakfast Pants]

It isn't that they just flippantly refuse these things to be assholes, they have extremely limited resources and they have to make tradeoffs.

They're doctrinaire, sure

[Theatetus]

But they tend to have a point. They are right, ultimately, that the transport level is the "correct" level for security. WEP and WPA are both, ultimately, kind of pointless in that a determined attacker will be able to compromise them. It's just that WPA prevents a large class of casual attacks that WEP doesn't. In theory, yes, someone concerned about secure network traffic will secure that traffic at the transport level -- the problem is that if you don't control both sides of the transaction, transport-layer security is often not available (eg, https://slashdot.org/ [slashdot.org] redirects to http://slashdot.org/ [slashdot.org]