From owner-doc-jp@jp.freebsd.org  Thu Jun 22 00:15:42 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id AAA97860;
	Thu, 22 Jun 2000 00:15:42 +0900 (JST)
	(envelope-from owner-doc-jp@jp.FreeBSD.org)
Received: from sv01.geocities.co.jp (sv01.geocities.co.jp [210.153.89.155])
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) with ESMTP id AAA97855
	for <doc-jp@jp.freebsd.org>; Thu, 22 Jun 2000 00:15:41 +0900 (JST)
	(envelope-from hrs@geocities.co.jp)
Received: from mail.geocities.co.jp (mail.geocities.co.jp [210.153.89.137]) by sv01.geocities.co.jp (8.9.3+3.2W/3.7W) with ESMTP id AAA28319 for <doc-jp@jp.freebsd.org>; Thu, 22 Jun 2000 00:15:41 +0900 (JST)
Received: from mail.hrs.jp (sutnmax1-ppp22.ed.noda.sut.ac.jp [133.31.173.32]) by mail.geocities.co.jp (1.3G-GeocitiesJ-3.3) with ESMTP id AAA05956 for <doc-jp@jp.freebsd.org>; Thu, 22 Jun 2000 00:15:38 +0900 (JST)
Message-Id: <200006211515.AAA05956@mail.geocities.co.jp>
Received: from localhost (alph.hrs.jp [192.168.0.10])
	by mail.hrs.jp (8.9.3/3.7W/DomainMaster) with ESMTP id XAA13569
	for <doc-jp@jp.freebsd.org>; Wed, 21 Jun 2000 23:48:19 +0900 (JST)
	(envelope-from hrs@hrs.jp)
To: doc-jp@jp.freebsd.org
In-Reply-To: <20000620192506.1645.qmail@smtp.246.ne.jp>
References: <20000612215144.D1A3B37BBF7@hub.freebsd.org>
	<20000620192506.1645.qmail@smtp.246.ne.jp>
X-Mailer: Mew version 1.94 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Wed, 21 Jun 2000 23:48:16 +0900
From: Hiroki Sato <hrs@geocities.co.jp>
X-Dispatcher: imput version 990905(IM130)
Lines: 174
Reply-To: doc-jp@jp.freebsd.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: doc-jp 7472
Subject: [doc-jp 7472] Re: ANNOUNCE: FreeBSD Security Advisory:
 FreeBSD-SA-00:25.alpha-dev-random
Errors-To: owner-doc-jp@jp.freebsd.org
Sender: owner-doc-jp@jp.freebsd.org
X-Originator: hrs@geocities.co.jp

$B:4F#!wEl5~M}2JBg3X$G$9!#(B

>The FreeBSD kernel provides a cryptographic-strength pseudo-random
>number generator via the /dev/random and /dev/urandom interfaces,
>which samples hardware measurements to provide a high-quality source
>of "entropy" (randomness).
>
>FreeBSD $B%+!<%M%k$O(B, /dev/random $B$*$h$S(B /dev/urandom $B%$%s%?%U%'!<%9$rDL(B
>$B$8$F(B cryptographic-strength $B$J5?;wMp?tH/@84o$rDs6!$7$F$$$^$9(B. $B$3$N5?;w(B
>$BMp?tH/@84o$O(B, $B%O!<%I%&%'%"(B measurement $B$r%5%s%W%j%s%0$7$F(B, $B9bIJ<A$J(B
>$B!V%(%s%H%m%T!<!W$N85(B (randomness) $B$rDs6!$7$^$9(B. 

 |FreeBSD $B$N%+!<%M%k$O(B /dev/random $B$*$h$S(B /dev/urandom $B%$%s%?!<%U%'!<%9$r(B
 |$BDL$8$F0E9f$N@8@.$K;HMQ2DG=$J6/EY$r;}$C$?5?;wMp?tH/@84o$rDs6!$7$F$$$^$9(B.
 |$B$3$N5?;wMp?tH/@84o$O%O!<%I%&%'%"E*$JB,Dj$r9T$J$$(B,
 |$B9bIJ<A$N%(%s%H%m%T!<(B($BMp;($5(B)$B8;$rDs6!$9$k$b$N$G$9(B.

>II.  $BLdBj$N>\:Y(B - Problem Description
>
>The FreeBSD port to the Alpha platform did not provide the /dev/random
>or /dev/urandom devices - this was an oversight during the development
>process which was not corrected before the Alpha port "became
>mainstream". FreeBSD/i386 is not affected.
>
>Alpha $B%W%i%C%H%U%)!<%`$X$N(B FreeBSD $B$N0\?"$G$O(B, $B%G%P%$%9(B /dev/random $B$*(B
>$B$h$S(B /dev/urandom $B$rDs6!$7$F$$$^$;$s$G$7$?(B. $B$3$l$O(B, Alpha $B$X$N0\?"$N(B
>$B!V%a%$%s%9%H%j!<%`2=!W0JA0$K=$@5$5$l$J$+$C$?$H$$$&(B, $B3+H/%W%m%;%9Cf$N(B
>$B%_%9$G$9(B. 

 |FreeBSD $B$N(B Alpha $BHG$K$O(B /dev/random $B$d(B /dev/urandom $B$H$$$C$?(B
 |$B%G%P%$%9$,Ds6!$5$l$F$$$^$;$s$G$7$?(B.  $B$3$l$O3+H/2aDx$K$*$1$k(B
 |$BITCm0U$+$i5/$3$C$?%_%9$G$"$j(B, Alpha $BHG$,3+H/$N%a%$%s%9%H%j!<%`$H(B
 |$B$J$k$^$G=$@5$5$l$^$;$s$G$7$?(B.  i386 $BHG(B FreeBSD $B$K$O(B
 |$B$3$N%_%9$N1F6A$O$"$j$^$;$s(B.

>As a consequence, there is no way for Alpha systems prior to the
>correction date to obtain cryptographic-strength random numbers,
>unless an application "rolls its own" entropy gathering
>mechanism. This in itself is not a vulnerability, although it is an
>omission and a departure from the expected behaviour of a FreeBSD
>system.
>
>$B$=$N7k2L(B, $B=$@5F|0JA0$N(B Alpha $B%7%9%F%`$G$O(B, $B%"%W%j%1!<%7%g%s$,!V<+J,$N!W(B
>$B%(%s%H%m%T!<$r(B gather $B$9$k5!9=$r!V;}$?$J$$$J$i$P!W(B
>cryptographic-strength $BMp?t$rF@$k$?$a$N<jCJ$,$"$j$^$;$s(B. $B$3$N$3$H$O(B, 
>$B$=$l<+?H$G$O<eE@$G$O$"$j$^$;$s$,(B, $B$3$l$O<jH4$+$j$G$"$j(B, FreeBSD $B%7%9%F(B
>$B%`$K4|BT$5$l$k?6$kIq$$$KH?$7$F$$$^$9(B. 

 |$B$=$N7k2L(B, $B=$@5F|0JA0$N(B Alpha $B%7%9%F%`$G$O!V%"%W%j%1!<%7%g%s<+?H$,!W(B
 |$B%(%s%H%m%T!<$N@8@.5!9=$r;}$C$F$$$J$$8B$j(B, $B0E9f$N@8@.$K;HMQ$G$-$k$h$&$J(B
 |$B6/EY$r;}$C$?Mp?t$rF@$k$3$H$O$G$-$^$;$s(B.
 |$B$3$l$OK\Mh(B FreeBSD $B%7%9%F%`$K4|BT$5$l$?F0:n$HH?$9$k$b$N$G$9$,(B,
 |$B$3$l<+BN$,%;%-%e%j%F%#>e$N<eE@$H$J$k$o$1$G$O$"$j$^$;$s(B.

>The actual vulnerability is that some applications fail to correctly
>check for a working /dev/random and do not exit with an error if it is
>not available, so this weakness goes undetected. OpenSSL 0.9.4, and
>utilities based on it, including OpenSSH (both of which are included
>in the base FreeBSD 4.0 system) are affected in this manner (this bug
>was corrected in OpenSSL 0.9.5)
>
>$BK\Ev$N<eE@$O(B, /dev/random $B$,F/$/$+$I$&$+$r@5$7$/3NG'$G$-$J$/$F(B, 
>/dev/random $B$,MxMQ$G$-$J$/$F$b%(%i!<$G=*N;$7$J$$$?$a$K$3$N<eE@$K5$$E$+(B
>$B$J$$%"%W%j%1!<%7%g%s$,$"$k$H$$$&$3$H$G$9(B. OpenSSL 0.9.4 $B$*$h$S(B, 
>OpenSSH $B$N$h$&$J$3$l$K4p$E$/%f!<%F%#%j%F%#(B ($B$I$A$i$b(B FreeBSD 4.0 $B$N%Y(B
>$B!<%9%7%9%F%`$K4^$^$l$F$$$^$9(B) $B$,$3$N1F6A$r<u$1$^$9(B ($B$3$N%P%0$O(B OpenSSL
>0.9.5 $B$G=$@5$5$l$F$$$^$9(B). 

 |$B<B:]$K%;%-%e%j%F%#>e$N<eE@$H$J$k$N$O(B, /dev/random $B$,$-$A$s$H(B
 |$BF0:n$9$k$3$H$r3NG'$;$:(B, $B$5$i$K(B /dev/random $B$,MxMQ$G$-$J$$$H$-$K$b(B
 |$B%(%i!<$G=*N;$7$J$$$h$&$J%"%W%j%1!<%7%g%s$,$"$k$H$$$&$3$H$G$9(B.
 |$B$=$N>l9g(B, $B$3$N%;%-%e%j%F%#>e$N<eE@$O8!=P$5$l$J$$$^$^$K$J$C$F$7$^$$$^$9(B.  
 |OpenSSL 0.9.4 $B$*$h$S(B, OpenSSH $B$J$I$N$=$l$r%Y!<%9$H$9$k(B
 |$B%f!<%F%#%j%F%#72(B($BN>J}$H$b(B FreeBSD 4.0 $B$N%Y!<%9%7%9%F%`$K(B
 |$B4^$^$l$k$b$N$G$9(B)$B$O(B, $B$I$A$i$b$=$l$KEv$F$O$^$j$^$9(B.
 |($B$3$N%P%0$O(B OpenSSH 0.9.5 $B$G=$@5$5$l$^$7$?(B)

>Therefore, cryptographic security systems on vulnerable FreeBSD/Alpha
>systems (including OpenSSH in the base FreeBSD 4.0 system) may have
>weakened strength, and cryptographic keys generated on such systems
>should not be trusted.
>
>$B$3$N$?$a(B, $B<eE@$r;}$D(B FreeBSD/Alpha $B>e$N0E9f$K4p$E$/%;%-%e%j%F%#%7%9%F(B
>$B%`(B ($B4^$`(B FreeBSD 4.0 $B$N%Y!<%9%7%9%F%`Cf$N(B OpenSSH) $B$N6/EY$K$O<e$5$,$"(B
>$B$j(B, $B$=$N$h$&$J%7%9%F%`>e$G@8@.$5$l$?0E9f80$O?.Mj$9$Y$-$G$O$"$j$^$;$s(B. 

 |$B$7$?$,$C$F(B, FreeBSD/Alpha $B%7%9%F%`>e$N0E9f$K$b$H$E$/(B
 |$B%;%-%e%j%F%#%7%9%F%`(B(FreeBSD 4.0 $B$N%Y!<%9%7%9%F%`$K$"$k(B OpenSSH $B$r4^$`(B)$B$O(B
 |$B==J,$J0E9f6/EY$r;}$C$F$$$J$$2DG=@-$,$"$j$^$9(B.  $B$^$?(B, $B$=$l$i$N%7%9%F%`>e$G(B
 |$B@8@.$5$l$?0E9f80$O?.Mj$G$-$k$b$N$G$O$"$j$^$;$s(B.

>III. $B1F6AHO0O(B - Impact
>
>Cryptographic secrets (such as OpenSSH public/private keys) generated
>on FreeBSD/Alpha systems may be much weaker than their "advertised"
>strength, and may lead to data compromise to a dedicated and
>knowledgeable attacker.
>
>FreeBSD/Alpha $B%7%9%F%`>e$G@8@.$5$l$?0E9f$K$*$1$kHkL)(B (OpenSSH $B$N8x3+80(B
>$B$dHkL)80$N$h$&$J(B) $B$O(B, $B!V8x>N!W6/EY$h$j$b$:$C$H<e$$$b$N$K$J$C$F$7$^$&4m(B
>$B81@-$,$"$j$^$9(B. $B$=$7$F(B, $B$R$?$`$-$GCN<1$N$"$k967b<T$KBP$7$F%G!<%?$O4m81(B
>$B$K$5$i$5$l$^$9(B. 

 |Alpha $BHG(B FreeBSD $B%7%9%F%`$G@8@.$5$l$?0E9f$K$h$C$F<i$i$l$F$$$k$b$N(B
 |($B$?$H$($P(B OpenSSH $B$N8x3+80$dHkL)80(B)$B$O(B, $B8x>N$N0E9f6/EY$h$j$b<e$$$b$N$K(B
 |$B$J$C$F$$$k2DG=@-$,$"$j$^$9(B.  $B$=$N$?$a(B, $BG&BQ6/$/CN<1$N$"$k967b<T$+$i(B
 |$B%G!<%?$,FI$_$H$i$l$F$7$^$&4m81$,$"$j$^$9(B.

>PGP/GnuPG keys, and keys generated by the SSH or SSH2 ports, are not
>believed to be weakened since that software will correctly detect the
>lack of a working /dev/random and use alternative sources of
>entropy. OpenSSH and OpenSSL are currently the only known vulnerable
>applications.
>
>PGP/GnuPG $B$N80$d(B, SSH $B$^$?$O(B SSH2 $B$N(B port $B$G@8@.$5$l$?80$O(B, 
>/dev/random $B$,F/$+$J$$$3$H$r@5$7$/8!=P$7(B, $BBe$o$j$N%(%s%H%m%T!<$N85$r;H(B
>$BMQ$9$k$N$G(B, $B<eE@$O$J$$$H?.$8$i$l$F$$$^$9(B. $B8=:_$N$H$3$m(B, $B<eE@$,$"$k%"%W(B
>$B%j%1!<%7%g%s$H$7$F3NG'$5$l$F$$$k$N$O(B OpenSSH $B$H(B OpenSSL $B$@$1$G$9(B. 

 |PGP/GnuPG $B$N0E9f80$d(B, SSH $B$^$?$O(B SSH2 $B$N(B port $B$G@8@.$5$l$?0E9f80$K$D$$$F$O(B,
 |$B0E9f$N6/EY$,<e$/$J$C$F$$$k$h$&$J$3$H$O$J$$$H9M$($i$l$F$$$^$9(B.
 |$B$=$l$O(B, $B$3$l$i$N%=%U%H%&%'%"$,(B /dev/random $B$NITHw$r$-$A$s$H8!=P$7(B,
 |$B%(%s%H%m%T!<8;$H$7$FB>$N$b$N$rMQ$$$k$+$i$G$9(B.
 |$B$3$NLdBj$,%;%-%e%j%F%#>e$N<eE@$H$J$k$3$H$,3NG'$5$l$F$$$k(B
 |$B%"%W%j%1!<%7%g%s$O(B OpenSSH $B$H(B OpenSSL $B$@$1$G$9(B.

>IV.  $BBP1~:v(B - Workaround
>
>None available.
>
>$B$^$@$"$j$^$;$s(B. 

 |$B$"$j$^$;$s(B.

>NOTE: Because of the significant improvements to the FreeBSD/Alpha
>platform in FreeBSD 4.0, it is not planned at this time to backport
>the necessary changes to FreeBSD 3.4-STABLE.
>
>$BCm0U(B: FreeBSD 4.0 $B$K$*$1$k(B FreeBSD/Alpha $B%W%i%C%H%U%)!<%`$G$O$+$J$j<j(B
>$B$,F~$C$F$$$k$?$a(B, $B8=;~E@$G$O(B FreeBSD 3.4-STABLE $B$KBP$9$kI,MW$JJQ99$N(B 
>backport $B$O9M$($F$$$^$;$s(B. 

 |$BCm0U(B: FreeBSD 4.0 $B$N(B Alpha $BHG$K$OBg$-$J2~NI$,9T$J$o$l$?$?$a(B,
 |      $B:#2s(B, $BI,MW$J=$@5ItJ,$r(B FreeBSD 3.4-STABLE $B$K0\?"$9$k$3$H$O(B
 |      $BM=Dj$5$l$F$$$^$;$s(B.

>2) Immediately regenerate all OpenSSH-generated SSH keys and
>OpenSSL-generated SSL certificates, and any other data relying on
>cryptographic random numbers which were generated on FreeBSD/Alpha
>systems, whose strength cannot be verified. [Note: for most systems,
>the only significant vulnerability is likely to be from OpenSSH and
>OpenSSL-generated keys and certificates (e.g. for SSL webservers)]
>
>2) FreeBSD/Alpha $B%7%9%F%`>e$G@8@.$5$l$?(B, OpenSSH $B$G@8@.$7$?$9$Y$F$N(B 
>SSH $B$N80$d(B, OpenSSL $B$G@8@.$7$?$9$Y$F$N(B SSL $B>ZL@=q(B, $B6/EY$,8!>Z$G$-$J$$(B 
>cryptographic $BMp?t$K4p$E$/$[$+$N$9$Y$F$N%G!<%?$rB.$d$+$K:F@8@.$7$^$9(B. 
>[$BCm0U(B: $BBgDq$N%7%9%F%`$K$D$$$F(B, $BM#0l$N=EBg$J<eE@$O(B, OpenSSH $B$G$*$h$S(B 
>OpenSSL $B$G@8@.$7$?80$d>ZL@=q(B ($B$?$H$($P(B SSL Web $B%5!<%PMQ$N(B) $B$G$"$k$H9M(B
>$B$($i$l$^$9(B]

 |OpenSSH $B$,@8@.$7$?(B SSH $B0E9f80(B, OpenSSL $B$,@8@.$7$?(BSSL $B>ZL@=q$*$h$S(B,
 |FreeBSD/Alpha $B%7%9%F%`>e$G@8@.$5$l$kMp?t$G0E9f2==hM}$5$l$?(B
 |$B$"$i$f$k%G!<%?$r$9$_$d$+$K:F@8@.$7$F$/$@$5$$(B.
 |$B$=$l$i$9$Y$F$N%G!<%?$O(B, $B?.Mj$G$-$k$@$1$N0E9f6/EY$r(B
 |$B;}$C$F$$$k$3$H$rN)>Z$G$-$^$;$s(B.
 |[$BCm0U(B: $B$[$H$s$I$N%7%9%F%`$G$O(B, OpenSSH $B$H(B OpenSSH $B$N@8@.$9$k(B
 | $B0E9f80(B, $B>ZL@=q(B($B$?$H$($P(B SSL $B%&%'%V%5!<%PMQ(B)$B$@$1$,(B
 | $B=EBg$J%;%-%e%j%F%#>e$N<eE@$H$J$k$G$7$g$&(B.]

--
| $B:4F#(B $B9-@8!wEl5~M}2JBg3X(B <hrs@geocities.co.jp>
|
|                                  j7397067@ed.noda.sut.ac.jp(univ)
|                        hrs@jp.FreeBSD.org(FreeBSD doc-jp Project)
