-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
Feedback from the security community has triggered an investigation into the quality of PolarSSL's random number generation within virtualised environments. PolarSSL performs the random number generation and cryptographic functions required by OpenVPN-NL.
To ensure that security is maintained while this investigation proceeds, the NLNCSA has added an extra restriction to its deployment advisory:
- OpenVPN-NL should not be used in virtualised environments.
This restriction might be lifted in the future, depending on the results of the investigation.
We would like to thank Jacob Appelbaum, Marsh Ray, and Oscar Koeroo for starting the discussion on this matter.
Details - -------
PolarSSL versions prior to v1.1 use only the HAVEGE random number generation algorithm. At its heart, this uses timing information based on the processor's high resolution timer (the RDTSC instruction). This instruction can be virtualised, and some virtual machine hosts have chosen to disable this instruction, returning 0s or predictable results.
Currently, the problem appears to be limited to commercial cloud server providers.
Solution - --------
A new version of PolarSSL, v1.1, will be released within a few days. This contains a new random number generator based on the CTR_DRBG algorithm specified in NIST SP-800-90. The entropy used by this algorithm is accumulated from multiple sources, including the existing Havege RNG, platform-specific entropy sources and timing sources. This increases the quality of the entropy pool, and makes it less vulnerable to problems within a single source.
Once this new RNG has been succesfully evaluated, it will be included in future releases of OpenVPN-NL.
Further research is also being done to determine the overall quality of random number generation within virtual machines.