The FreeBSD project will diminish the importance of the so-called random number generators (RNGs) that are built into recent chips from Intel and Via Technologies, its developers have decided. This marks a new low for trust in the security provided by semiconductor vendors, in the wake of Edward Snowden’s revelations of mass surveillance.
FreeBSD is a free Unix-like operating system, the code for which can be found in various software distributions and even popular consumer devices such as the PlayStations 3 and 4. The security shift decision was made in September at the FreeBSD Developer Summit but has only attracted attention in the last day or so, through posts on The Register and Ars Technica. Monday saw the first release candidate for FreeBSD 10.0, where these changes are implemented.
Intel and Via’s recent x86 processors come with instructions called RDRAND and PadLock respectively, that act as RNGs; they are supposed to spew out genuinely random numbers that can then be used in encryption on the systems they’re powering. In cryptography, the more entropy or randomness there is in “random” numbers, the better the strength of the security. (In reality, it’s near-impossible to generate truly random numbers, so RNGs should be more properly known as pseudorandom number generators, or PRNGs.)
The problem is, since Snowden revealed how the NSA and its partners have been actively working to undermine common security mechanisms, largely through the agency’s keen involvement in standards-setting processes, nobody in the security industry trusts much anymore — and if you’re going to undermine security at a fundamental level, hardware RNGs would be a great spot to weaken. Yes this is paranoid territory, suspecting that the NSA has stuck backdoors into Intel chips when there’s no proof, but these are paranoid times.
“It will still be possible to access hardware random number generators, that is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL from userland, if required, but we cannot trust them anymore,” the FreeBSD project’s notes from the September summit read. Instead, RDRAND and PadLock’s output will become inputs for a separate RNG algorithm called Yarrow, the output of which will inform the /dev/random file that applications use for encryption.
As Ars Technica’s Dan Goodin notes, it was in any case a good idea to add more sources of entropy to FreeBSD’s /dev/random – the more you have, the more random the result. Over in the world of Linux (a separate project from FreeBSD, though both are Unix-like OSs), Linus Torvalds has struck out at suggestions of RDRAND representing a Linux backdoor, noting that the instruction is only one of many inputs into the operating system’s random pool.