From: "H. Peter Anvin" <hpa@zytor.com>
To: Matt Mackall <mpm@selenic.com>, Kees Cook <keescook@chromium.org>
Cc: Jason Cooper <jason@lakedaemon.net>,
"Theodore Ts'o" <tytso@mit.edu>,
LKML <linux-kernel@vger.kernel.org>,
Herbert Xu <herbert@gondor.apana.org.au>,
Rusty Russell <rusty@rustcorp.com.au>,
Satoru Takeuchi <satoru.takeuchi@gmail.com>,
linux-crypto <linux-crypto@vger.kernel.org>,
Andrew Morton <akpm@linux-foundation.org>
Subject: Re: [PATCH][RESEND 3] hwrng: add randomness to system from rng sources
Date: Sun, 16 Mar 2014 19:12:05 -0700 [thread overview]
Message-ID: <532659F5.2030005@zytor.com> (raw)
In-Reply-To: <1393972797.8344.190.camel@calx>
On 03/04/2014 02:39 PM, Matt Mackall wrote:
>
> [temporarily coming out of retirement to provide a clue]
>
> The pool mixing function is intentionally _reversible_. This is a
> crucial security property.
>
> That means, if I have an initial secret pool state X, and hostile
> attacker controlled data Y, then we can do:
>
> X' = mix(X, Y)
>
> and
>
> X = unmix(X', Y)
>
> We can see from this that the combination of (X' and Y) still contain
> the information that was originally in X. Since it's clearly not in Y..
> it must all remain in X'.
>
This of course assumes that the attacker doesn't know the state of the
pool X.
The other thing to note is that reversible doesn't necessarily mean
linear (the current mixing function is linear.) AES, for example, is
reversible (if and only if you possess the key) but is highly nonlinear.
I'm not saying we should use AES to mix the pool -- it is almost
guaranteed to be too expensive.
-hpa
next prev parent reply other threads:[~2014-03-17 2:12 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-03 23:51 [PATCH][RESEND 3] hwrng: add randomness to system from rng sources Kees Cook
2014-03-04 15:38 ` Jason Cooper
2014-03-04 19:01 ` Kees Cook
2014-03-04 19:53 ` Jason Cooper
2014-03-04 19:59 ` Kees Cook
2014-03-04 22:39 ` Matt Mackall
2014-03-05 21:11 ` Jason Cooper
2014-03-05 21:51 ` Kees Cook
2014-03-06 0:52 ` Matt Mackall
2014-03-06 1:34 ` Kees Cook
2014-03-06 12:54 ` Jason Cooper
2014-03-17 2:12 ` H. Peter Anvin [this message]
2014-03-06 12:55 ` Jason Cooper
2014-03-10 12:22 ` Herbert Xu
2014-03-16 22:56 ` H. Peter Anvin
2014-03-17 11:53 ` Austin S Hemmelgarn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=532659F5.2030005@zytor.com \
--to=hpa@zytor.com \
--cc=akpm@linux-foundation.org \
--cc=herbert@gondor.apana.org.au \
--cc=jason@lakedaemon.net \
--cc=keescook@chromium.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mpm@selenic.com \
--cc=rusty@rustcorp.com.au \
--cc=satoru.takeuchi@gmail.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).