From: Theodore Tso <tytso@mit.edu>
To: Matt Mackall <mpm@selenic.com>
Cc: Thiago Galesi <thiagogalesi@gmail.com>, linux-kernel@vger.kernel.org
Subject: Re: [PATCH 7/14] random: Remove SA_SAMPLE_RANDOM from network drivers
Date: Sun, 7 May 2006 20:13:33 -0400 [thread overview]
Message-ID: <20060508001333.GA17138@thunk.org> (raw)
In-Reply-To: <20060507160013.GM15445@waste.org>
On Sun, May 07, 2006 at 11:00:14AM -0500, Matt Mackall wrote:
> Yes, CRC-16 was a rhetorical device. MD4 would not have been.
MD4 is succeptible to a 2nd pre-image attack, yes. This means that
given a specific message and its MD4 checksum, you can find another
message which will have the same MD4 checksum. But that doesn't help
you at all if you only have the MD4 checksum. And even the 2nd
pre-image attack still requires O(2**40) operations. That's within
the reach of modern CPU's yes, but that simply gives you a *second*
pre-image that has the same MD4 checksum as original message.
In order to crack the entropy pool, you need a large number of outputs
from /dev/random, and be able to find a large number of pre-images
very rapidly. This is the main reason why I believe the entropy
accounting is still useful. Even if the entropy accounting is off by
several orders of magnitude, it is still useful, since the attacks
that we're talking about will very likely require a huge number of
data points. For example, the most powerful cryptoanalytic attack
against DES still requires 2**43 plaintext/ciphertext pairs.
But in answer to your question, what should we do, my suggestion would
be to sample all interrupts, and calculate the estimated entropy
credits as we to day, but scaled by an amount that can range from 0 to
100%. This amount can be configured by system administrators, and
will have intelligent defaults for each device driver to the amount of
entropy should be credited for a particular device. If we care, we
can set the default percentage scalaing factor for platforms with no
TSC reguster and HZ=100 to be zero. But for most normal/modern
platforms, I would argue the default scaling factor should be 100%.
The bottom line is this is much ado about nothing. As I have said,
most programs use /dev/urandom, not /dev/random; the only really
appropriate use of /dev/random is to generate long-term public/private
keypairs, or perhaps to seed some other cryptographic random number
generator (like /dev/urandom).
- Ted
next prev parent reply other threads:[~2006-05-08 0:13 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-05 16:42 [PATCH 1/14] random: Remove SA_SAMPLE_RANDOM from floppy driver Matt Mackall
2006-05-05 16:42 ` [PATCH 6/14] random: Remove redundant SA_SAMPLE_RANDOM from touchscreen drivers Matt Mackall
2006-05-05 16:42 ` [PATCH 5/14] random: Remove bogus SA_SAMPLE_RANDOM from at91 compact flash driver Matt Mackall
2006-05-05 16:42 ` [PATCH 3/14] random: Make CCISS use add_disk_randomness Matt Mackall
2006-05-05 16:42 ` [PATCH 2/14] random: Remove redundant SA_SAMPLE_RANDOM from NinjaSCSI Matt Mackall
2006-05-05 16:42 ` [PATCH 4/14] random: Change cpqarray to use add_disk_randomness Matt Mackall
2006-05-05 16:42 ` [PATCH 8/14] random: Remove SA_SAMPLE_RANDOM from USB gadget drivers Matt Mackall
2006-05-06 11:07 ` Denis Vlasenko
2006-05-06 18:16 ` David Brownell
2006-05-06 18:31 ` Matt Mackall
2006-05-05 16:42 ` [PATCH 10/14] random: Remove bogus SA_SAMPLE_RANDOM from mpc52xx serial driver Matt Mackall
2006-05-05 16:42 ` [PATCH 11/14] random: Remove UML usage of SA_SAMPLE_RANDOM Matt Mackall
2006-05-05 16:42 ` [PATCH 9/14] random: Remove SA_SAMPLE_RANDOM from i2c drivers Matt Mackall
2006-05-05 16:42 ` [PATCH 7/14] random: Remove SA_SAMPLE_RANDOM from network drivers Matt Mackall
2006-05-05 17:13 ` Kyle Moffett
2006-05-05 17:24 ` Matt Mackall
2006-05-05 19:11 ` Theodore Tso
2006-05-05 20:30 ` Stephen Hemminger
2006-05-05 20:34 ` Matt Mackall
2006-05-06 11:55 ` Theodore Tso
2006-05-06 16:48 ` Matt Mackall
2006-05-06 17:29 ` Bernd Eckenfels
2006-05-06 18:05 ` Theodore Tso
2006-05-06 20:33 ` Matt Mackall
2006-05-07 0:17 ` David S. Miller
2006-05-07 1:22 ` Theodore Tso
2006-05-07 5:07 ` Matt Mackall
2006-05-08 21:58 ` Sami Farin
2006-05-24 22:47 ` Marcin Dalecki
2006-05-25 0:08 ` Theodore Tso
2006-05-31 19:29 ` Bill Davidsen
2006-05-07 0:08 ` David S. Miller
2006-05-07 4:59 ` Matt Mackall
2006-05-07 5:46 ` David S. Miller
2006-05-07 16:31 ` Matt Mackall
2006-05-07 13:13 ` Thiago Galesi
2006-05-07 16:00 ` Matt Mackall
2006-05-07 17:00 ` Thiago Galesi
2006-05-08 0:13 ` Theodore Tso [this message]
2006-05-08 2:55 ` Matt Mackall
2006-05-08 6:26 ` Pavel Machek
2006-05-08 7:07 ` David S. Miller
2006-05-08 14:05 ` Matt Mackall
2006-05-08 17:21 ` Pavel Machek
2006-05-08 17:27 ` Matt Mackall
2006-05-09 11:23 ` Pavel Machek
2006-05-11 10:05 ` Ph. Marek
2006-05-24 22:35 ` Marcin Dalecki
2006-05-05 21:10 ` David S. Miller
2006-05-05 23:03 ` Matt Mackall
2006-05-05 23:19 ` David S. Miller
2006-05-06 14:08 ` Folkert van Heusden
2006-05-06 15:19 ` Lee Revell
2006-05-07 10:35 ` Folkert van Heusden
2006-05-07 16:33 ` Matt Mackall
2006-05-05 16:42 ` [PATCH 12/14] random: Remove not very useful SA_SAMPLE_RANDOM from lubbock Matt Mackall
2006-05-05 16:42 ` [PATCH 13/14] random: Remove SA_SAMPLE_RANDOM from IRQ fastpath Matt Mackall
2006-05-05 16:42 ` [PATCH 14/14] random: Remove add_interrupt_randomness Matt Mackall
-- strict thread matches above, loose matches on Subject: below --
2006-05-08 7:38 [PATCH 7/14] random: Remove SA_SAMPLE_RANDOM from network drivers linux
2006-05-12 6:09 ` linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060508001333.GA17138@thunk.org \
--to=tytso@mit.edu \
--cc=linux-kernel@vger.kernel.org \
--cc=mpm@selenic.com \
--cc=thiagogalesi@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.