From: Matt Mackall <mpm@selenic.com>
To: Theodore Tso <tytso@mit.edu>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/6] random: do extraction before mixing
Date: Sun, 9 Dec 2007 01:12:26 -0600 [thread overview]
Message-ID: <20071209071226.GW19691@waste.org> (raw)
In-Reply-To: <20071209003554.GT17037@thunk.org>
On Sat, Dec 08, 2007 at 07:35:54PM -0500, Theodore Tso wrote:
> On Sat, Dec 08, 2007 at 05:20:17PM -0600, Matt Mackall wrote:
> > random: do extraction before mixing
> >
> > If an attacker manages to capture the current pool state, she can
> > determine the last 10 bytes extracted from the pool.
>
> That's not true; we aren't just extracting data in the
> __add_entropy_words() call. In fact, above that, the bulk of the
> extraction comes form when we hash the entire pool, feeding back a
> portion of the hash into the pool here:
>
> for (i = 0; i < r->poolinfo->poolwords; i += 16) {
> /* hash blocks of 16 words = 512 bits */
> sha_transform(buf, (__u8 *)(r->pool + i), buf + 5);
> /* feed back portion of the resulting hash */
> add_entropy_words(r, &buf[i % 5], 1);
> }
Ok, yes, I'd forgotten we were chaining in the final sha_transform. I
plead too many bufs and buf+5s, which I fix up in 6/6. Funny thing is
that I'd convinced myself that this attack didn't work (correct) last
year when I read the paper I mentioned earlier. But yesterday and
today I couldn't spot the problem with it. So again, I'll add an
explicit comment for future hackers and researchers.
--
Mathematics is the supreme nostalgia of our time.
next prev parent reply other threads:[~2007-12-09 7:12 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2.753618428@selenic.com>
[not found] ` <3.753618428@selenic.com>
2007-12-09 0:01 ` [PATCH 2/6] random: use xor for mixing Theodore Tso
2007-12-09 0:40 ` Matt Mackall
2007-12-09 2:08 ` Theodore Tso
2007-12-09 13:33 ` Alan Cox
2007-12-19 21:09 ` Bill Davidsen
[not found] ` <4.753618428@selenic.com>
2007-12-09 0:35 ` [PATCH 3/6] random: do extraction before mixing Theodore Tso
2007-12-09 7:12 ` Matt Mackall [this message]
[not found] ` <5.753618428@selenic.com>
2007-12-09 1:45 ` [PATCH 4/6] random: make backtracking attacks harder Theodore Tso
2007-12-09 5:43 ` Matt Mackall
2007-12-09 13:33 ` Theodore Tso
2007-12-09 17:05 ` Matt Mackall
2007-12-10 13:37 ` Theodore Tso
[not found] ` <6.753618428@selenic.com>
2007-12-09 1:48 ` [PATCH 5/6] random: step more rapidly through the pool when adding and extracting Theodore Tso
2007-12-09 4:00 ` Andrew Morton
2007-12-09 4:22 ` Matt Mackall
2007-12-09 12:55 ` Theodore Tso
2007-12-09 17:08 ` Matt Mackall
[not found] ` <7.753618428@selenic.com>
2007-12-09 1:51 ` [PATCH 6/6] random: improve variable naming, clear extract buffer Theodore Tso
2007-12-09 5:08 ` Matt Mackall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071209071226.GW19691@waste.org \
--to=mpm@selenic.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.