possible /dev/random compromise (misplaced trust in RDRAND / Padlock entropy sources)
According this publication , The New York Times, Pro Publica, and The Guardian,
reported in September that the NSA and its British counterpart are working with
chipmakers to insert backdoors, or cryptographic weaknesses, in their products.
Software trusting chip-based crypto support, and in particular software which
uses specialized chips to obtain entropy might be compromising the quality of
the entropy pool as made available to /dev/random.
This has been recently discussed at security conference in EuroBSDcon 2013. The
"we are going to backtrack and remove RDRAND and Padlock backends and feed
them into Yarrow instead of delivering their output directly to /dev/random.
It will still be possible to access hardware random number generators, that
is, RDRAND, Padlock etc., directly by inline assembly or by using OpenSSL
from userland, if required, but we cannot trust them any more"
In consequence the FreeBSD project has deemed it necessary to unlink entropy
providers in Intel RDRAND and Via Padlock technologies from the main
/dev/random source (http://svnweb.freebsd.org/base?view=revision&revision=256377).
Advice from Security Team would be appreciated in order to determine which
action needs to be taken in Debian.
Here's my best attempt at determining the behaviour of kFreeBSD relative to
Intel RDRAND / Via Padlock entropy sources:
kfreebsd 8.3 and 9.0 (wheezy):
Sets Via chipset to serve /dev/random unconditionally whenever detected,
but only on i386 (not amd64). Does not support Intel entropy source.
kfreebsd 9.2 (jessie / sid):
Sets Via or Intel chipset to serve /dev/random when detected,
unless hw.nehemiah_rng_enable or hw.ivy_rng_enable are set to zero
to disable them.
kfreebsd 10~ (sid):
All versions in Debian already have the fixed code, which replaces
random_adaptor_register() with live_entropy_source_register(), thereby
registering Via and Intel chips as "entropy sources" to be post
processed by Yarrow, rather than directly as "random adaptors".