2014-04-17 23:25:43

What is this private key doing in my random pool?

As a consequence of the Heartbleed bug, the OpenBSD community has taken up the challenge of auditing the OpenSSL source code and improving its general quality. Given the recent events this is a very necessary and just cause and should by all means be supported.

A necessary prerequisite to editing OpenSSL code however should be either some amount of knowledge about how cryptosystems work or, alternatively, guidance by people who have such knowledge. The underlying issue is that crypto source code tends to be extremely fragile since a lot of the effort needs to go into preventing so-called “oracles”, which are code paths which reveal information about the success or failure of cryptographic processes either through differences in the error message, through differences in timing of the involved methods in case of success or failure, or through differences in power consumption or heat radiation caused by different code paths being taken.

This is not about this kind of oracles though, but right now we're talking about a relatively simple matter: random pools.

Random Pools and Non-Random Data

The inner workings of random pools are relatively simple. Essentially, each pool has a given size and quality. Data which is used for encryption can only be withdrawn from the pool if the randomness of the data in the pool, the so-called entropy, has passed a given theshold. Until then, any attempts to withdraw random data from the pool will simply block until enough random data is available. This is the main reason why virtual machines sometimes take such a long time doing SSL handshakes.

The pool is usually fed from a variety of random sources. One of these sources can be key presses, which aren't very random per se but there is some amount of jitter in latency even if you are just typing away at a word. So this would feed into the pool as a source with a relatively low entropy value. You can also measure the timing differences between issuing read or write commands to the disk and getting a result back. Since this is not influenced by humans, the entropy of this source might be a lot higher. Finally, some people attach actual diodes to the serial or USB port of their machines and gather actual physical entropy, which would of course be the highest known level of entropy.

So essentially you would want an algorithm which, for every byte of entropy from the keyboard gives you perhaps 0.3 bytes of entropy from the pool, and for every byte of entropy from the hard disk you get to read 0.7 bytes of entropy out of the pool, and for each byte of entropy from the diode you get 1 byte of entropy from the pool. That's why the RAND_add function in OpenSSL takes a third parameter named “entropy”. It simply specifies a factor which should be applied to the size of random data passed into the pool to know by how much the pool size can be advanced.

Typically this is achieved by using a XOR operation of the already-pooled random data with the data being passed in. As long as data is not XORed against itself (which yields 0), it will always come out at least as random than it went in.

Using entropy from untrusted sources

A nice game played by some nerds on IRC is called “random number exchange”. Essentially, you send someone a random number to be fed into the pool — but with the entropy of 0. This will not advance the pool of the other person a single bit. However, it has 2 possible outcomes:

  1. The data is not of good quality. The worst case of this would be a value that is all-ones or all-zeroes. Clearly, such a number is not random at all. In the case of all-zeroes, the contents of the random pool are unchanged. In the case of all-ones, the contents of the random pool end up being its binary complement. The binary complement of a random number is just as random as the original number.
  2. The data is actually random. In that case, the actual entropy in the random pool is increased, since the existing data is XORed against other random data. That makes it more unpredictable what will be returned next from the pool.

So as you can see, whatever data you feed into the random pool at entropy 0 can only increase the entropy of the pool data but never decrease it.

Feeding sensitive data into the random pool

What the OpenBSD audit had found was that OpenSSL was feeding sensitive data — user passwords and cryptographic secret keys — into the random pool. The code doing so was deleted from the OpenBSD OpenSSL repository with a question in the commit message: “What were they thinking?!”

What they were thinking is actually a good question. As we learned already, any data that is fed into the random pool at entropy 0 cannot harm the quality of the random data. In the case of the code which was deleted, the entropy parameter of RAND_add was always 0. Also, the manual page of RAND_add clearly states:

RAND_add() may be called with sensitive data such as user entered passwords. The seed values cannot be recovered from the PRNG output.

Can we justify this claim?

Yes, we can. The important part here is that the data is fed into the pool at entropy 0, which means that no bytes will be released from the pool until enough entropy has been gathered so we can confidently state that the data returned is random. At that point, we essentially XORed the sensitive data with high-entropy random data. This algorithm is known as a One-Time Pad. As long as the random data used in the XOR is guaranteed to be high-entropy and as long as it is never ever re-used, whichever data is XORed against it becomes indistinguishable from random noise. This means that adding the sensitive data into the random pool may have increased the entropy of the pool or not, but it also means that we can never tell what has been written into the pool.

So the patch which was committed by the OpenBSD people actually has the potential to weaken the entropy of the OpenSSL random pool, but it was never a security or privacy concern, so the patch doesn't fix anything. As such I would suggest that it should be backed out.


In addition to the technical side of things, the OpenBSD community is currently in the process of falling victim to a rather massive administrative fallacy in Open Source development. They are producing a rather large set of patches against OpenSSL. As recently outlined by Kristian Köhntopp (in German), this operation runs at high risk of the patches never making their way back into OpenSSL because it would be too much effort to go through all of them. So essentially, OpenBSD is creating a fork of OpenSSL.

Given their minuscule manpower, I don't think they're up to that…

2013-12-08 20:57:33

A tale from the world of Bad Licensing™

A while ago, we had to buy a laptop for running Windows so we could operate the vinyl cutter at our makerspace. So we went for a refurbished T61 with Windows 7 and installed the cutter software on it.

To activate the license of the cutter software, you have to connect to the Internet (which is already something we didn't really want to do, but in the world of Closed Source software you already know you don't usually get what you want). So we tried to fire up the online activation feature, but it failed right away stating that the support has been notified of the failure.

Since we're a volunteer driven organization, we are mostly present outside of working hours, so we tried to use the half-offline activation workflow. We generated a license request file and uploaded it to the website of the vendor. We received a license file back. The web site also stated that we'll receive an e-mail with details on how to install the license.

In the meantime, our Windows had noticed that it has been connected to the Internet. Windows Defender fired up, installed some update and then notified us that it had found and deleted an “activation hack”. Then, Windows claimed that we had an illegal version installed and offered us to buy a new license for a mere 169.- CHF.

Luckily, the shop which sold us the refurbished laptop was around at the time and told us to just go through the activation process again. We typed all the numbers in once more and our Windows was happy again.

However, in all this time we had not yet received an activation e-mail from the vinyl cutter vendor. The vendor was not available for comment. So we looked through the documentation, trying to figure out what we should do with the license file. The documentation said: “Just execute the license file”, however, it was merely a text file.

We assumed that what they meant was to open the text file using the cutter software, but starting the cutter software only asked to enter a license key (which would create another license request file). So we thought that running the cutter software with the license file as a parameter might do the trick.

Unfortunately, it didn't. It opened the cutter software in some weird mode where it showed all options but no cutter could be selected. We assumed the license would be accepted now, but when we re-opened the cutter software, it asked us to enter the license key again.

So to summarize, we cannot use the software for the cutter we bought and we randomly had to re-activate our operating system. For now I'm back to the land where the license says “Keep the copyright license, use and distribute it as you like but don't blame me!”

Posted by Tonnerre Lombard | Permanent link | File under: broken

2013-12-03 15:16:35

The female Hurricane

Not sure if you ever realized, but the song works for a different group of our population as well.

Pistol shots ring out in the barroom night
Enter Ruben Valentine from the upper hall
He sees the bartender in a pool of blood
Cries out, “My God, they killed them all!”
Here comes the story of Miss Hurricane
The girl the authorities came to blame
For somethin’ that she never done
Put in a prison cell, but one time she could-a been
The champion of the world

Three bodies lyin’ there does Ruben see
And another man named Bello, movin’ around mysteriously
“I didn’t do it,” he says, and he throws up his hands
“I was only robbin’ the register, I hope you understand
I saw them leavin’,” he says, and he stops
“One of us had better call up the cops”
And so Ruben calls the cops
And they arrive on the scene with their red lights flashin’
In the hot New Jersey night

Meanwhile, far away in another part of town
Patty Carter and a couple of friends are drivin’ around
Number one contender, female middleweight crown
Had no idea what kinda shit was about to go down
When a guy pulled her over to the side of the road
Just like the time before and the time before that
In Paterson that’s just the way things go
If you’re a girl you might as well not show up on the street
’Less you wanna draw the heat

Alfred Bello had a partner and he had a rap for the cops
Him and Arthur Dexter Bradley were just out prowlin’ around
He said, “I saw two girls runnin’ out, one looked like middleweights
They jumped into a white car with out-of-state plates”
And Sir Ruben Valentine just nodded his head
Cop said, “Wait a minute, boys, this one’s not dead”
So they took him to the infirmary
And though this man could hardly see
They told him that he could identify the guilty ones

Four in the mornin’ and they haul Patty in
Take her to the hospital and they bring her upstairs
The wounded man looks up through his one dyin’ eye
Says, “Wha’d you bring her in here for? She ain’t the fry!”
Yes, here’s the story of Miss Hurricane
The girl the authorities came to blame
For somethin’ that she never done
Put in a prison cell, but one time she could-a been
The champion of the world

Four months later, the ghettos are in flame
Patty’s in South America, fightin’ for her name
While Arthur Dexter Bradley’s still in the robbery game
And the cops are puttin’ the screws to him, lookin’ for somebody to blame
“Remember that murder that happened in a bar?”
“Remember you said you saw the getaway car?”
“You think you’d like to play ball with the law?”
“Think it might-a been that fighter that you saw runnin’ away?”
“Don’t forget that you're a man”

Arthur Dexter Bradley said, “I’m really not sure”
Cops said, “A poor boy like you could use a break
We got you for the motel job and we’re talkin’ to your friend Bello
Now you don’t wanta have to go back to jail, be a nice fellow
You’ll be doin’ society a favor
That feminazi bitch is brave and gettin’ braver
We want to put her ass in stir
We want to pin this triple murder on her
She ain’t no social girl”

Patty could take someone out with just one punch
But she never did like to talk about it all that much
It’s my work, she’d say, and I do it for pay
And when it’s over I’d just as soon go on my way
Up to some paradise
Where the trout streams flow and the air is nice
And ride a horse along a trail
But then they took her to the jailhouse
Where they try to turn a girl into a mouse

All of Patty’s cards were marked in advance
The trial was a pig-circus, she never had a chance
The judge made Patty’s witnesses helpless and bewitched
To the male folks who watched she was a hateful feminist bitch
And to the girlfolks she was just a crazy whore
No one doubted that she killed them all
And though they could not produce the gun
The D.A. said she was the one who did the deed
And the all-male jury agreed

Patty Carter was falsely tried
The crime was murder “one,” guess who testified?
Bello and Bradley and they both baldly lied
And the newspapers, they all went along for the ride
How can the life of such a girl
Be destroyed without causing a stir?
To see her obviously framed
Couldn’t help but make me feel ashamed to live in a land
Where women are a game

Now all the criminals in their coats and their ties
Are free to drink martinis and watch the sun rise
While Patty's like Marissa in a ten-foot cell
An innocent girl in a living hell
That’s the story of Miss Hurricane
But it won’t be over till they clear her name
And give her back the time she’s done
Put in a prison cell, but one time she could-a been
The champion of the world

Posted by Tonnerre Lombard | Permanent link | File under: gender_equality

2013-02-04 23:20:50

NetBSD support for Intel kernel Mode Setting

A few versions ago, Intel started releasing drivers for their graphics cards which would rely on the kernel to switch between graphics modes (a new development from the Linux/FLOS world). This would, for example, ease the transition between framebuffer consoles and X11.

Since however the NetBSD kernel doesn't yet (as of version 6.0) support setting graphics modes, this means that later Intel drivers don't work under current NetBSD releases.

And there our hero, Grégoire Sutre, comes to play. He started a project on GitHub to port DRM/GEM to NetBSD from OpenBSD, which had a paid person implementing it for them under a BSD license.

Testing it on the stable release

A while ago, I replaced my old Thinkpad T61 with a T520. Unfortunately, this meant I also had to switch from NetBSD to Debian GNU/Linux because NetBSD wouldn't run on the T520 and I didn't have the time to change that. Also, at that time, neither of the BSDs supported kernel mode setting.

A few days ago, prompted by the announcement of the CONFIG_VT deprecation under Linux, I decided to make another attempt at getting NetBSD to run on the T520 and stumbled across Grégoires work. It was a bit awkward to take his changes and to apply them to NetBSD 6.0, because they were made for NetBSD-current and had to be modified first. Nonetheless, I managed to apply them relatively sensibly.

The rest doesn't take a lot of time to lay out. I built a release with the changes and applied it to my NetBSD system. There, everything worked. I had Intel graphics.

So I decided to upload a patch to my FTP server. In addition to that, I also built the release sets and an installation ISO image and uploaded them. You can find everything on ftp.bsdprojects.net under NetBSD-6.0-drmgem-20130203.

How to apply the patch to NetBSD-6

The distribution method Grégoire chose was a bit awkward to use (as described above), so I decided to create two patches (one for src, one for xsrc) and distribute those instead for NetBSD-6. The rest of the procedure is pretty straightforward. First, fetch the patches:

% ftp http://ftp.bsdprojects.net/pub/bsdprojects/NetBSD/NetBSD-6.0-drmgem-20130203/netbsd6-drmgem-src-20130203.diff.gz
% ftp http://ftp.bsdprojects.net/pub/bsdprojects/NetBSD/NetBSD-6.0-drmgem-20130203/netbsd6-drmgem-xsrc-20130203.diff.gz

Then, get the source code from CVS.

% cvs -d anoncvs@anoncvs.xy.netbsd.org:/cvsroot co -P -rnetbsd-6 src
% cvs -d anoncvs@anoncvs.xy.netbsd.org:/cvsroot co -P -rnetbsd-6 xsrc

Apply the patches:

% (cd xsrc && zcat ../netbsd6-drmgem-xsrc-20130203.diff.gz | patch -p0)
% cd src && zcat ../netbsd6-drmgem-src-20130203.diff.gz | patch -p0

… and build the tools and release:

% ./build.sh -j 9 -x tools
% ./build.sh -j 9 -x release
% ./build.sh -j 9 -x install=/

Then ensure that all your pkgsrc packages are linked against the X.Org release installed from the base. Things might work ok if you link the clients against X.Org from pkgsrc, but the pkgsrc X server certainly won't work. And if you already use X.Org from base anyway, why not use it for everything.

The Future

Right now the drmgem code is in a state where Intel kernel mode setting works. However, all the DRM modules have been deactivated in the X.Org source. This is because they don't seem to work yet. So the patch cannot yet be committed as it is, because for everybody who's not using Intel, it would be a step back.

So this means that the patch needs some brushing up. But it's good, solid work and will hopefully be ready to be committed into the source base some day soon.

What's left to say: Thank you, Grégoire Sutre, for your good work! If we can help you somehow, please let us know.

Flattr this

2013-01-29 20:40:35

The Apple Experiment: Conclusions

At this point I've used the iPhone continuously as a main phone for a month in a row. I've made serious attempts to replicate all workflows I used on my Android phone, with varying results.

Holding it Wrong

The first thing you'll notice is that data transfers appear to be really slow over GSM most of the time. It's ok for reading Twitter using the app, but if you open a web site it can take a number of minutes before you finally have at least the text to read in front of you. Under the same conditions, the Android phone could load the web site in a matter of seconds (still slow, but it's mobile, so well). Using the same carrier, of course.

There's the old joke that people are simply holding the iPhone wrong. I think it was Steve Jobs who came up with this joke when he was still alive. Either way, I tried various ways of holding the phone, including upside down, and nothing would improve the page loading speed.

To add to the pain, the iPhone interpretes touchscreen presses which arrive while the screen is darkened (to announce impending screen lock). So if you tap somewhere on the screen to keep it awake while loading the page, it suddenly follows some not-yet-displayed link and you'll never see the page you wanted to go to.

An additional annoyance is the switch to turn sounds on and off. It is generally a good idea, however, you will always end up switching sounds on and off like mad with your pocket.

Which brings us to the general point that the iPhone hardware is incredibly fragile. Android devices appear relatively sturdy with their gorilla glass. If you drop them by accident, they aren't usually damaged. If you drop an iPhone on the floor, the glass will typically be shattered, and worse effects may occur.

Multi-singletasking in Mind

One of the biggest points you will notice quite quickly is that there is an enormous lack of integration of the different apps. Imagine for example that you want to share a link to something. You have Twitter, Google+, Delicious, Soup (well ok, they don't have an iPhone client), mail, chat, etc. on the phone. However, there is no common sharing dialog like in Android. Every App has to integrate all those programs itself in its own sharing dialog. This means that you can only share to whatever the App writer was aware of.

Likewise, there are no URL namespaces. If you get a Google Docs link in mail (not GMail, which tries to work around this), it will be opened in the browser. YouTube links? Open them in the browser. Google+ links? Open the browser, too. It would be much more valuable to use the dedicated apps for those purposes instead so people can use the service more efficiently, especially given the painfully slow page loads.

To address this problem, App implementors have written the most useless workarounds. If you click on a link in the Twitter app, a new embedded browser will be launched inside Twitter, because Twitter doesn't want to lose everything which was currently open. That makes sense for Twitter, but not as a whole, especially since that embedded browser lacks some controls and is really awkward to use. Especially as you now have two back buttons. And you can't switch to a different tab from the main browser instance, because it is not the browser.

Another issue is copying and pasting. Just like in early Linux days, it works part of the time and sometimes you get inexplicable results. Some Apps just don't seem to care though and just don't offer copying and pasting. I would have expected this to work ok in anything implemented after 1993.

To add insult to injury, apps which don't get the focus for a while are quit. This is quite annoying when you use a Jabber client on the phone, because you have to get it back into the foreground every couple of minutes to prevent it from quitting and being disconnected. As a workaround, many Jabber clients send you push notifications a minute or two before they're terminated. But that's nothing more than an ugly, annoying hack and far from the nice integration of Jabber clients as background tasks in Android.

Notify … but about what?

Notifications (”push messages“) are another issue where the current solution is unbearable. It appears that every app has its own notification process which cannot communicate with the main process. This goes even as far as to add a counter to the app icon. For example, you have 2 Twitter notifications. They are displayed on your screen lock, although truncated. You unlock the screen and find that the Twitter icon has a small ”2“ besides it, indicating that two unread notifications have been received.

Then you open Twitter and you don't see anything at all. It doesn go to the replies tab because apparently the App doesn't know you want that. You open the replies tab and realize it doesn't have your reply yet because it hasn't been reloaded since the message arrived. Given that Twitter ran in the background, that's kindof logical, but it isn't helpful and not a way in which I would want to implement my Apps. And it doesn't just affect Twitter: it's everywhere! TweetDeck has it, Mail has it, GMail has it, even the App Store has it. If we're fetching all that data for the notification, why can't we just have it in the app as well? What kind of notifications are those? Especially given the poor data transfer rates of the iPhone you really don't want to wait for all your replies to be downloaded again.

Even worse, it's quite difficult to actually follow notifications because when you click on one, all the others tend to go away. So you will know that something happened but you have no way of following up without looking through your phone and installed Apps. Why?!

And since I mentioned the icon: there is no reasonable way to sort a list of generic things other than alphabetically. The phone knows the language of the user and thus the sorting alphabet to use. Yet all apps appear in the order in which they have been installed. That's cool if you just installed something, but in a few days you won't remember if you installed SecureChat before or after pterm. So either let the user categorize the icons into desktops, with grouping functions, all by themselves, or don't assume anything and just order the icons alphabetically. I know that SecureChat comes after pterm in the latin alphabet.

If you buy an iPhone, you must be rich

Another really big minus is the pricing of iPhone apps. On Android, you get a great variety of good apps for free. For example, you have ConnectBot, a decent SSH client which someone implemented. People like to share stuff for Android for free. And the average Android app in the market costs CHF 1.99, so not terribly expensive.

On the iPhone, the general idea appears to be ”You paid a lot of money for your phone, so you can pay a lot of money for your Apps“. The most reasonable SSH client appears to be pTerm, which costs CHF 5.-. It's merely a port of PuTTY to the iPhone, so it's based on Open Source software, yet you pay more for it than you pay for a loaf of bread.

The regular iPhone port of the RealVNC viewer is sold for CHF 10.-. It's even twice as expensive as the already-expensive SSH client. It costs more than a loaf of bread and a decent piece of cheese. Nagios clients cost between CHF 15.- and 20.-. A client for a web interface which lets you view fields and click buttons.

In this respect the so-called ”Genius“, a function in the App Store which advertises you Apps you could buy, becomes even more ridiculous.

Welcome to the iCloud, where everything

And then there's the iCloud. I already mentioned all the fun I had with trying to create an account there. Once I had my account I couldn't import my calendar from anywhere. Because why would you want to do that? Now that you have an iPhone you can make totally new, more shiny friends!

Then I tried exporting an ical file from a web site and importing it into iCloud. The phone didn't really know what an .ics file is supposed to be, so I tried using the web interface. It's full of fancy features for creating calendar events, but the one thing it cannot do is importing calendars. The data is siloed in the iCloud, no communication with the outside is permitted. No matter which way.

What went well

There are two things iPhones are really good at. The first is good support for customer apps by companies. For example, Crédit Suisse so far only released their online banking App for iPhones, not for Android. The same goes for the german institute Deutsche Bank.

(On the other hand, small indy apps like Soup tend to be more widely available on Android.)

The other thing is podcasts. Apple has had a lot of time to implement a good podcast App, and so far there appears to be no good equivalent for Android. There are some podcast apps, some of which even work ok. But none of the tested ones have the comfort of the Apple Podcast App at this precise moment.


It is possible to use the iPhone as ones primary device for a period of time. However, the discomfort of doing so and the various annoyances suggest it is not a good idea. I was extremely happy when I could finally pick up my Galaxy Nexus and use it again. All in all, the iPhone feels like the bad phone hardware from 2005 mixed with an operating system from 1993, which is not a very pleasant experience.

Especially given the high price, required involvement (owning and maintaining a Mac, buying MacOS upgrades, buying an iPhone, buying apps, etc.) and the high risk of damaging the phone, it seems a rather questionable investment.

In my opinion, the iPhone needs a couple of years to come to the same level that other phones already have. The entire operating system needs to be better integrated (like Linux desktops, for example). The hardware needs a revamp and needs to catch up with recent developments like gorilla glass and covered switches, or more sturdy hardware in general.

Flattr this