prng change feedback

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

ringsignature at riseup.net ringsignature at riseup.net
Fri Oct 6 07:13:07 UTC 2017 

Hello,

On 2017-10-06 01:11, Harald Welte wrote:
> Hi RS,
> 
> On Thu, Oct 05, 2017 at 05:20:21AM -0700, ringsignature at riseup.net wrote:
>> On 2017-10-05 11:09, Neels Hofmeyr wrote:
>> > What about an attacker firing endless events that cause us to generate new
>> > TMSIs and ends up exhausting the entropy pool? AFAIK that's a real possibility?
>>
>> Could you quantify that? What is the process by which an attacker would
>> be able to cause new TMSI generation? Does it require interactivity from
>> them or can they simply flood OpenBSC with a packet that triggers a the
>> creation of a TMSI? If such a flood is possible, that suggests a
>> security problem at the least and a possible entropy problem.
> 
> Well, it probably depends on the interface the attacker has access to
> (Radio/Backhaul/...) and hence the threat model.
> 
> A TMSI is allocated at many possible transactions, but all of them
> [should, in a sane implementation!] require authentication first, so it
> requires interactivity and is not just a simple flood.
> 

That is reasonable. I wonder how much entropy that entire process start
to finish will use in any given authentication process? That's I
suppose, a GSM (and other related protocols) research question rather
than an OpenBSC specific question.

>> How much random data does OpenBSC currently use in a given period of
>> time, say one day?
> 
> I think for all practical installations outside of an attack scenario
> that we know of, it's very little.

That is what I'd expect - I'd also expect in the cases where it is used,
it is probably a contributory process with inputs from all communicating
peers.

> 
>> What are the system requirements for OpenBSC with regard to a hardware
>> rng or manual seeding?
> 
> We don't publish hardware requirements.

If I may humbly suggest, it may be worth suggesting that users ensure
that it is their responsibility to have a good RNG source for the Linux
kernel. There are probably a few situations where entropy failure is
catastrophic. The generation of K_i seems to be an obvious failure,
though there are probably other interesting failures where a badly
behaving handset might be able to force the the network side to compute
over a value that is unsafe in some manner. Again, some research which
is out of scope but hopefully helpful to someone reading along...

> 
>> Does OpenBSC only run on Linux or BSD systems with the getrandom()
>> interface?
> 
> We don't officially support or build test on anything but Ubuntu >=
> 16.04, Debian >= 8 and FreeBSD >= 10.3.  We of course don't know what
> people decide to run the code on, in the end.

There is a python issue [0] which explains in detail many choices that
the python project has made and why with regard to supporting os.random.
There is also an excellent "Entropy-supplying system calls" overview
page on Wikipedia [1] that is worth reviewing.

On my Debian stable machine, my glibc does not appear to have
getrandom() while my kernel does have the syscall for getrandom(). On
FreeBSD to test if the machine is properly seeded one may check the
kern.random.sys.seeded sysctl and then subsequent calls to [2]
read_random() or read_random_uio() [3] may be functionally similar.
FreeBSD appears to define those functions such that if there isn't a
DEV_RANDOM, the functions simply return 0. It appears OpenBSD supplies a
getentropy() function on their system.

getentropy() is documented on Debian as a wrapper around getrandom():
 
  DESCRIPTION
       The  getentropy() function writes length bytes of high-quality
random data to the buffer starting at the loca‐
       tion pointed to by buffer.  The maximum permitted value for the
length argument is 256.

       A successful call to getentropy() always returns the requested
number of bytes of entropy.

It may make sense as a matter of portability to first look for the
syscall for getrandom(), getrandom(), getentropy(), and finally a
compile failure, in that order? I'm not sure, though whatever is
selected should be logged.

> 
>> Does OpenBSC store random seed data between boots?
> 
> Not our code.  That's a task of the OS, no?

I know that modern systems are supposed to handle this functionality. It
should be a task taken care of by the OS, of course. I believe both
officially supported platforms do handle this exact issue which is
reasonable.

Happy Hacking,
RS

[0] https://bugs.python.org/issue27266
[1] https://en.wikipedia.org/wiki/Entropy-supplying_system_calls
[2] https://svnweb.freebsd.org/base?view=revision&revision=286839
[3]
https://svnweb.freebsd.org/base/head/sys/sys/random.h?view=markup&pathrev=286839

More information about the OpenBSC mailing list