From: George Spelvin <lkml@SDF.ORG>
To: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Willy Tarreau <w@1wt.eu>, Netdev <netdev@vger.kernel.org>,
Amit Klein <aksecurity@gmail.com>,
Eric Dumazet <edumazet@google.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Andrew Lutomirski <luto@kernel.org>,
Kees Cook <keescook@chromium.org>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
"Theodore Ts'o" <tytso@mit.edu>,
Marc Plumb <lkml.mplumb@gmail.com>,
Stephen Hemminger <stephen@networkplumber.org>
Subject: Re: Flaw in "random32: update the net random state on interrupt and activity"
Date: Sat, 8 Aug 2020 20:47:29 +0000 [thread overview]
Message-ID: <20200808204729.GD27941@SDF.ORG> (raw)
In-Reply-To: <CAHk-=wjeRgAoKXo-oPOjLTppYOo5ZpXFG7h6meQz6-tP0gQuNg@mail.gmail.com>
On Sat, Aug 08, 2020 at 11:19:01AM -0700, Linus Torvalds wrote:
> If siphash is a good enough hash to make the pseudo-random state hard
> to guess, then it's also a good enough hash to hide the small part of
> the fast-pool we mix in.
No!
No, no, a thousand times no.
I *just* finished explaining, using dribs and drabs of entropy allows an
*information theoretical attack* which *no* crypto can prevent.
The drip-feed design of the current patch is a catastrophic antifeature
which must be anethametized.
You could replace SipHash with a random function, the platonic ideal
to which all other cryptographic functions are compared, and you'd
still have a hole.
The fact that *nothing* can fix bad seeding is the entire reason
/dev/random exists in the first place.
*Second*, I have no intention of using full SipHash. I'm spending
all of that security margin making it as fast as possible, leaving
just enough to discourage the original attack.
As you just pointed out, half-MD4 (still used in fs/ext4/hash.c) is quite
enough to discourage attack if used appropriately.
If you go and *vastly* increase the value of a successful attack,
letting an attacker at long-lived high-value keys, I have to put all
that margin back.
(Not to mention, even full SipHash only offers 128-bit security in the
first place! Shall I go and delete AES-256 and SHA2-512, since we've
decided the Linux kernel is capped at 128-bit security?)
It's not even remotely difficult: use the *output* of random.c.
Making that safe is what all that code is for.
(It costs some cycles, but SipHash's strength lets you go long
enough between reseeds that it amorizes to insignificance.)
next prev parent reply other threads:[~2020-08-08 20:47 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-08 15:26 Flaw in "random32: update the net random state on interrupt and activity" George Spelvin
2020-08-08 17:07 ` Andy Lutomirski
2020-08-08 18:08 ` Willy Tarreau
2020-08-08 18:13 ` Linus Torvalds
2020-08-08 19:03 ` George Spelvin
2020-08-08 19:49 ` Andy Lutomirski
2020-08-08 21:29 ` George Spelvin
2020-08-08 17:44 ` Willy Tarreau
2020-08-08 18:19 ` Linus Torvalds
2020-08-08 18:53 ` Willy Tarreau
2020-08-08 20:47 ` George Spelvin [this message]
2020-08-08 20:52 ` Linus Torvalds
2020-08-08 22:27 ` George Spelvin
2020-08-09 2:07 ` Linus Torvalds
2020-08-11 16:01 ` Eric Dumazet
2020-08-08 19:18 ` Florian Westphal
2020-08-08 20:59 ` George Spelvin
2020-08-08 21:18 ` Willy Tarreau
2020-08-08 20:08 ` George Spelvin
2020-08-08 20:47 ` Linus Torvalds
2020-08-09 6:57 ` [DRAFT PATCH] random32: make prandom_u32() output unpredictable George Spelvin
2020-08-09 9:38 ` Willy Tarreau
2020-08-09 17:06 ` George Spelvin
2020-08-09 17:33 ` Willy Tarreau
2020-08-09 18:30 ` George Spelvin
2020-08-09 19:16 ` Willy Tarreau
2020-08-10 11:47 ` Willy Tarreau
2020-08-10 12:01 ` David Laight
2020-08-10 14:48 ` Willy Tarreau
2020-08-10 12:03 ` Florian Westphal
2020-08-10 14:53 ` Willy Tarreau
2020-08-10 16:31 ` Linus Torvalds
2020-08-10 16:58 ` Willy Tarreau
2020-08-10 17:45 ` Linus Torvalds
2020-08-10 18:01 ` Willy Tarreau
2020-08-10 21:04 ` Willy Tarreau
2020-08-11 5:26 ` George Spelvin
2020-08-11 5:37 ` Willy Tarreau
2020-08-11 3:47 ` George Spelvin
2020-08-11 3:58 ` Willy Tarreau
[not found] ` <fdbc7d7d-cba2-ef94-9bde-b3ccae0cfaac@gmail.com>
2020-08-09 21:10 ` Marc Plumb
2020-08-09 21:48 ` Linus Torvalds
2020-08-09 13:50 ` Randy Dunlap
[not found] ` <CANEQ_++a4YcwQQ2XhuguTono9=RxbSRVsMw08zLWBWJ_wxG2AQ@mail.gmail.com>
2020-08-09 16:08 ` George Spelvin
-- strict thread matches above, loose matches on Subject: below --
2020-08-12 6:03 Flaw in "random32: update the net random state on interrupt and activity" Sedat Dilek
2020-08-12 6:35 ` Sedat Dilek
2020-08-12 7:13 ` Sedat Dilek
2020-08-12 15:16 ` Eric Dumazet
2020-08-12 16:20 ` Sedat Dilek
2020-08-12 16:24 ` Eric Dumazet
2020-08-12 16:38 ` Sedat Dilek
2020-08-19 9:51 ` Sedat Dilek
2021-01-08 13:08 ` Sedat Dilek
2021-01-08 13:51 ` Sedat Dilek
2021-01-08 15:41 ` Eric Dumazet
2021-01-08 21:32 ` Sedat Dilek
[not found] <9f74230f-ba4d-2e19-5751-79dc2ab59877@gmail.com>
2020-08-05 0:57 ` Marc Plumb
2020-08-05 1:02 ` Linus Torvalds
2020-08-05 2:49 ` Willy Tarreau
2020-08-05 15:34 ` tytso
2020-08-05 16:06 ` Marc Plumb
2020-08-05 19:38 ` Willy Tarreau
2020-08-05 22:21 ` Marc Plumb
2020-08-06 6:30 ` Willy Tarreau
2020-08-06 17:18 ` Marc Plumb
2020-08-07 7:03 ` Willy Tarreau
2020-08-07 16:52 ` Marc Plumb
2020-08-07 17:43 ` Willy Tarreau
[not found] ` <C74EC3BC-F892-416F-A95C-4ACFC96EEECE@amacapital.net>
2020-08-07 18:04 ` Willy Tarreau
2020-08-07 18:10 ` Linus Torvalds
2020-08-07 19:08 ` Andy Lutomirski
2020-08-07 19:21 ` Linus Torvalds
2020-08-07 19:33 ` Andy Lutomirski
2020-08-07 19:56 ` Linus Torvalds
2020-08-07 20:16 ` Andy Lutomirski
2020-08-07 20:24 ` Linus Torvalds
2020-08-07 19:59 ` Marc Plumb
2020-08-07 22:19 ` Willy Tarreau
2020-08-07 22:45 ` Marc Plumb
2020-08-07 23:11 ` Willy Tarreau
2020-08-05 22:05 ` tytso
2020-08-05 23:03 ` Andy Lutomirski
2020-08-06 17:00 ` Marc Plumb
2020-08-05 16:24 ` Jason A. Donenfeld
2020-08-05 16:53 ` Willy Tarreau
2020-08-05 15:44 ` Marc Plumb
2020-08-05 16:39 ` Linus Torvalds
2020-08-05 23:49 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200808204729.GD27941@SDF.ORG \
--to=lkml@sdf.org \
--cc=Jason@zx2c4.com \
--cc=aksecurity@gmail.com \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=lkml.mplumb@gmail.com \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stephen@networkplumber.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).