From: Matt Mackall <mpm@selenic.com>
To: Theodore Tso <tytso@mit.edu>,
Andrew Morton <akpm@linux-foundation.org>,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH 3/6] random: do extraction before mixing
Date: Sun, 9 Dec 2007 01:12:26 -0600 [thread overview]
Message-ID: <20071209071226.GW19691@waste.org> (raw)
In-Reply-To: <20071209003554.GT17037@thunk.org>
On Sat, Dec 08, 2007 at 07:35:54PM -0500, Theodore Tso wrote:
> On Sat, Dec 08, 2007 at 05:20:17PM -0600, Matt Mackall wrote:
> > random: do extraction before mixing
> >
> > If an attacker manages to capture the current pool state, she can
> > determine the last 10 bytes extracted from the pool.
>
> That's not true; we aren't just extracting data in the
> __add_entropy_words() call. In fact, above that, the bulk of the
> extraction comes form when we hash the entire pool, feeding back a
> portion of the hash into the pool here:
>
> for (i = 0; i < r->poolinfo->poolwords; i += 16) {
> /* hash blocks of 16 words = 512 bits */
> sha_transform(buf, (__u8 *)(r->pool + i), buf + 5);
> /* feed back portion of the resulting hash */
> add_entropy_words(r, &buf[i % 5], 1);
> }
Ok, yes, I'd forgotten we were chaining in the final sha_transform. I
plead too many bufs and buf+5s, which I fix up in 6/6. Funny thing is
that I'd convinced myself that this attack didn't work (correct) last
year when I read the paper I mentioned earlier. But yesterday and
today I couldn't spot the problem with it. So again, I'll add an
explicit comment for future hackers and researchers.
--
Mathematics is the supreme nostalgia of our time.
next prev parent reply other threads:[~2007-12-09 7:12 UTC|newest]
Thread overview: 19+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <2.753618428@selenic.com>
[not found] ` <3.753618428@selenic.com>
2007-12-09 0:01 ` [PATCH 2/6] random: use xor for mixing Theodore Tso
2007-12-09 0:40 ` Matt Mackall
2007-12-09 2:08 ` Theodore Tso
2007-12-09 13:33 ` Alan Cox
2007-12-19 21:09 ` Bill Davidsen
[not found] ` <4.753618428@selenic.com>
2007-12-09 0:35 ` [PATCH 3/6] random: do extraction before mixing Theodore Tso
2007-12-09 7:12 ` Matt Mackall [this message]
[not found] ` <5.753618428@selenic.com>
2007-12-09 1:45 ` [PATCH 4/6] random: make backtracking attacks harder Theodore Tso
2007-12-09 5:43 ` Matt Mackall
2007-12-09 13:33 ` Theodore Tso
2007-12-09 17:05 ` Matt Mackall
2007-12-10 13:37 ` Theodore Tso
[not found] ` <6.753618428@selenic.com>
2007-12-09 1:48 ` [PATCH 5/6] random: step more rapidly through the pool when adding and extracting Theodore Tso
2007-12-09 4:00 ` Andrew Morton
2007-12-09 4:22 ` Matt Mackall
2007-12-09 12:55 ` Theodore Tso
2007-12-09 17:08 ` Matt Mackall
[not found] ` <7.753618428@selenic.com>
2007-12-09 1:51 ` [PATCH 6/6] random: improve variable naming, clear extract buffer Theodore Tso
2007-12-09 5:08 ` Matt Mackall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20071209071226.GW19691@waste.org \
--to=mpm@selenic.com \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).