krb5 and PRNGs

[Ken Raeburn]

As best I recall, when the Yarrow support was originally done, /dev/random and especially /dev/urandom were relatively new and not always available everywhere, so something would've been needed anyways on systems not supplying them, and it would have to use other sources as best it could.  We do use /dev/urandom to seed Yarrow, but we also include other sources.  Not necessarily all sources with strong entropy, but values unlikely to be known to or controlled by an attacker, like a (previously generated) encryption key -- of course, you then want a *very* good one-way function.

I don't remember if we were concerned about the implementation quality as well, but for such a new facility, it's entirely possible.  (According to Wikipedia's "/dev/random" page, various flaws have been found in the implementations in FreeBSD 5.2.1, Linux 2.4.21, Solaris 8, and Mac OS X 10.3; those are since our initial Yarrow work.  There's more interesting stuff in there, like the variations in semantics between systems.)

The big reason for not using /dev/random on Linux is that reading from it blocks until data is available.  Having the Kerberos library randomly pause for a few hours because no one in banging on the keyboard or wiggling the mouse is unacceptable.  Especially since a typical KDC probably goes for days without anyone banging on the keyboard or wiggling the mouse.

If you do want to switch to just using /dev/[u]random (and whatever the Windows secure PRNG API is), there are packages out there like EGD and PRNGD which would provide similar interfaces for older systems that don't supply them natively.

Ken