Re: [PROPOSAL/PATCH] Fortuna PRNG in /dev/random

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: "Theodore Ts'o" <tytso@mit.edu>
To: Jean-Luc Cooke <jlcooke@certainkey.com>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [PROPOSAL/PATCH] Fortuna PRNG in /dev/random
Date: Fri, 24 Sep 2004 17:34:52 -0400	[thread overview]
Message-ID: <20040924213452.GA22399@thunk.org> (raw)
In-Reply-To: <20040924175929.GU28317@certainkey.com>

On Fri, Sep 24, 2004 at 01:59:29PM -0400, Jean-Luc Cooke wrote:
> > If they only want crypto-secure random numbers, they can do it in
> > userspace.  Information secure random numbers is something the kernel
> > can provide, because it has low-level access to entrpoy sources.  So
> > why not try to do the best possible job? 
> 
> Sure.  I hate Brittney Spears, but I will not deny people the choice.

The principle of avoiding kernel bloat means that if it doesn't have
to be done in the kernel, it should be done in userspace.  If all
you're providing is an CRNG, the question then is why should it be
done in kernel, when it could be done just as easily in userspace, and
using /dev/random as its input?

> > This is another red herring.  First of all, we're not using the hash
> > as a MAC, or in any way where we would care about collisions.
> > Secondly, all of the places where we take a hash, we are always doing
> > it 16 bytes at a time, which is SHA's block size, so that there's no
> > need for any padding.  And although you didn't complain about it,
> > that's also why we don't need to mix in the length in the padding;
> > extension attacks just simply aren't an issue, since the way we are
> > using the hash, that just simply an issue as far as the strength of
> > /dev/random.
> 
> Woh there.  Didn't you just say "see, these hashes are weakened.  That's
> bad".  Now I just demonstrated the same thing with your SHA1 implementation
> and you throw that "red-herring" phrase out again?

No, what I'm saying is that crypto primitives can get weakened; this
is a fact of life.  SHA-0, MD4, MD5, etc. are now useless as general
purpose cryptographic hashes.  Fortuna makes the assumptions that
crypto primitives will never break, as it relies on them so heavily.
I have a problem with this, since I remember ten years ago when people
were as confident in MD5 as you appear to be in SHA-256 today.

Crypto academics are fond of talking about how you can "prove" that
Fortuna is secure.  But that proof handwaves around the fact that we
have no capability of proving whether SHA-1, or SHA-256, is truly
secure.

In contrast, /dev/random doesn't have this dependence, which (a) is a
good thing, and (b) why it doesn't bother with the SHA finalization
step.  It's simply not necessary.

						- Ted

next prev parent reply	other threads:[~2004-09-24 21:35 UTC|newest]

Thread overview: 35+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-09-23 23:43 [PROPOSAL/PATCH] Fortuna PRNG in /dev/random Jean-Luc Cooke
2004-09-24  4:38 ` Theodore Ts'o
2004-09-24 12:54   ` Jean-Luc Cooke
2004-09-24 17:43     ` Theodore Ts'o
2004-09-24 17:59       ` Jean-Luc Cooke
2004-09-24 20:44         ` Scott Robert Ladd
2004-09-24 21:34         ` Theodore Ts'o [this message]
2004-09-25 14:51           ` Jean-Luc Cooke
2004-09-24 18:43       ` James Morris
2004-09-24 19:09         ` Matt Mackall
2004-09-24 20:03         ` Lee Revell
2004-09-24 13:44   ` Jean-Luc Cooke
2004-09-27  4:58 ` Theodore Ts'o
     [not found]   ` <20040927133203.GF28317@certainkey.com>
2004-09-27 14:55     ` Theodore Ts'o
2004-09-27 15:19       ` Jean-Luc Cooke
  -- strict thread matches above, loose matches on Subject: below --
2004-09-24  0:59 linux
2004-09-24  2:34 ` Jean-Luc Cooke
2004-09-24  6:19   ` linux
2004-09-24 21:42   ` linux
2004-09-25 14:54     ` Jean-Luc Cooke
2004-09-25 18:43       ` Theodore Ts'o
2004-09-26  1:42         ` Jean-Luc Cooke
2004-09-26  5:23           ` Theodore Ts'o
2004-09-27  0:50             ` linux
2004-09-27 13:07               ` Jean-Luc Cooke
2004-09-27 14:23               ` Theodore Ts'o
2004-09-27 14:42                 ` Jean-Luc Cooke
2004-09-26  6:46           ` linux
2004-09-26 16:32             ` Jean-Luc Cooke
2004-09-26  2:31       ` linux
2004-09-27 18:53 Manfred Spraul
2004-09-27 19:45 ` Jean-Luc Cooke
2004-09-28  0:07   ` Theodore Ts'o
2004-09-28  2:24     ` Jean-Luc Cooke
2004-09-28 13:46       ` Herbert Poetzl

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040924213452.GA22399@thunk.org \
    --to=tytso@mit.edu \
    --cc=jlcooke@certainkey.com \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox