From: "Jörn Engel" <joern@logfs.org>
To: Andi Kleen <andi@firstfloor.org>
Cc: "Theodore Ts'o" <tytso@mit.edu>, "H. Peter Anvin" <hpa@zytor.com>,
lkml <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] random: mix all saved registers into entropy pool
Date: Wed, 21 May 2014 16:29:35 -0400 [thread overview]
Message-ID: <20140521202934.GA30084@logfs.org> (raw)
In-Reply-To: <20140521193905.GN1873@two.firstfloor.org>
On Wed, 21 May 2014 21:39:05 +0200, Andi Kleen wrote:
>
> > I think leaking of private keys or similar information is not a
> > concern. But please prove me wrong. Better you now than someone else
> > later.
>
> While I don't have a concrete exploit it seems seems dangerous to me.
> The LibreSSL people just removed a similar behavior from OpenSSL.
Similar, yes. But there is a difference:
Unconditionally mixing your private key into the entropy pool yields
zero entropy. While your private is hopefully unpredictable to an
attacker, it never changes. OpenSSL mixed the private keys for no
benefit.
The reason why I want this patch in is to avoid a different
non-theoretical dangerous situation. get_cycles() returns 0 on
several architectures and Ted's recent "improvements" are thus far
only noise. Architectures could define random_get_entropy() to
something else, but no architecture does it. Therefore we have
millions of embedded systems with interrupts as their sole entropy
source and jiffies as the only timestamp component.
To top it off, those same systems usually lack a read-write filesystem
and will not initialize /dev/random from state read out before the
last reboot. Now try to estimate how much time has to pass since
reboot until those systems have accumulated 128 bits of entropy. I
have not heard an estimate from anyone yet.
If you have an alternative approach to fix this very real problem
without potentially leaking private keys under conditions that also
allow more efficient attacks, I would love to know about it. So far
this is my best attempt and it beats all alternatives I know about.
Which just shows you how horrible the alternatives are.
Also see:
http://blog.fefe.de/?ts=ada960dc
https://factorable.net/weakkeys12.extended.pdf
Jörn
--
The art of propaganda is not telling lies, but rather selecting
the truth you require and giving it mixed up with some truths
the audience wants to hear.
-- Richard Crossman
next prev parent reply other threads:[~2014-05-21 20:31 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-05-19 21:17 [PATCH] random: mix all saved registers into entropy pool Jörn Engel
2014-05-19 21:23 ` Jörn Engel
2014-05-19 22:18 ` H. Peter Anvin
2014-05-19 22:39 ` Jörn Engel
2014-05-19 23:05 ` H. Peter Anvin
2014-05-19 23:18 ` Jörn Engel
2014-05-20 12:12 ` Andi Kleen
2014-05-20 20:08 ` Jörn Engel
2014-05-21 19:39 ` Andi Kleen
2014-05-21 20:29 ` Jörn Engel [this message]
2014-05-21 20:38 ` Jörn Engel
2014-06-04 23:17 ` Jörn Engel
2014-06-10 16:14 ` Theodore Ts'o
2014-06-11 0:10 ` Jörn Engel
2014-06-11 15:27 ` Theodore Ts'o
2014-06-12 20:25 ` Jörn Engel
2014-06-12 20:05 ` Jörn Engel
-- strict thread matches above, loose matches on Subject: below --
2014-02-02 20:36 [PATCH,RFC] random: collect cpu randomness Jörn Engel
2014-02-03 15:50 ` Jörn Engel
2014-02-03 16:37 ` Theodore Ts'o
2014-02-03 18:48 ` Jörn Engel
2014-03-23 18:00 ` [PATCH] random: mix all saved registers into entropy pool Jörn Engel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140521202934.GA30084@logfs.org \
--to=joern@logfs.org \
--cc=andi@firstfloor.org \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.