From: Marc Plumb <lkml.mplumb@gmail.com>
To: tytso@mit.edu, Willy Tarreau <w@1wt.eu>
Cc: netdev@vger.kernel.org, aksecurity@gmail.com,
torvalds@linux-foundation.org, edumazet@google.com,
Jason@zx2c4.com, luto@kernel.org, keescook@chromium.org,
tglx@linutronix.de, peterz@infradead.org, stable@vger.kernel.org
Subject: Re: Flaw in "random32: update the net random state on interrupt and activity"
Date: Wed, 5 Aug 2020 09:06:40 -0700 [thread overview]
Message-ID: <c200297c-85a5-dd50-9497-6fcf7f07b727@gmail.com> (raw)
In-Reply-To: <20200805153432.GE497249@mit.edu>
Hi Ted,
On 2020-08-05 8:34 a.m., tytso@mit.edu wrote:
> On Wed, Aug 05, 2020 at 04:49:41AM +0200, Willy Tarreau wrote:
>> Not only was this obviously not the goal, but I'd be particularly
>> interested in seeing this reality demonstrated, considering that
>> the whole 128 bits of fast_pool together count as a single bit of
>> entropy, and that as such, even if you were able to figure the
>> value of the 32 bits leaked to net_rand_state, you'd still have to
>> guess the 96 other bits for each single entropy bit :-/
> Not only that, you'd have to figure out which 32-bits in the fast_pool
> actually had gotten leaked to the net_rand_state.
That's 2 bits which are already inputs to the fast_pool, so it doesn't
even make a brute force any more difficult.
> I agree with Willy that I'd love to see an exploit since it would
> probably give a lot of insights. Maybe at a Crypto rump session once
> it's safe to have those sorts of things again. :-)
Just because you or I don't have a working exploit doesn't mean that
someone else isn't more clever. It pays to be paranoid about
cryptographic primitives and there is nothing more important than the
entropy pool.
> So replacing LFSR-based PRnG with
> something stronger which didn't release any bits from the fast_pool
> would certainly be desireable, and I look forward to seeing what Willy
> has in mind.
Isn't get_random_u32 the function you wrote to do that? If this needs to
be cryptographically secure, that's an existing option that's safe.
The fundamental question is: Why is this attack on net_rand_state
problem? It's Working as Designed. Why is it a major enough problem to
risk harming cryptographically important functions?
Do you remember how you resisted making dev/urandom fast for large reads
for a long time to punish stupid uses of the interface? In this case
anyone who is using net_rand_state assuming it is a CPRNG should stop
doing that. Don't enable stupidity in the kernel.
This whole thing is making the fundamental mistake of all amateur
cryptographers of trying to create your own cryptographic primitive.
You're trying to invent a secure stream cipher. Either don't try to make
net_rand_state secure, or use a known secure primitive.
Thanks,
Marc
next prev parent reply other threads:[~2020-08-05 20:12 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <9f74230f-ba4d-2e19-5751-79dc2ab59877@gmail.com>
2020-08-05 0:57 ` Flaw in "random32: update the net random state on interrupt and activity" Marc Plumb
2020-08-05 1:02 ` Linus Torvalds
2020-08-05 2:49 ` Willy Tarreau
2020-08-05 15:34 ` tytso
2020-08-05 16:06 ` Marc Plumb [this message]
2020-08-05 19:38 ` Willy Tarreau
2020-08-05 22:21 ` Marc Plumb
2020-08-06 6:30 ` Willy Tarreau
2020-08-06 17:18 ` Marc Plumb
2020-08-07 7:03 ` Willy Tarreau
2020-08-07 16:52 ` Marc Plumb
2020-08-07 17:43 ` Willy Tarreau
[not found] ` <C74EC3BC-F892-416F-A95C-4ACFC96EEECE@amacapital.net>
2020-08-07 18:04 ` Willy Tarreau
2020-08-07 18:10 ` Linus Torvalds
2020-08-07 19:08 ` Andy Lutomirski
2020-08-07 19:21 ` Linus Torvalds
2020-08-07 19:33 ` Andy Lutomirski
2020-08-07 19:56 ` Linus Torvalds
2020-08-07 20:16 ` Andy Lutomirski
2020-08-07 20:24 ` Linus Torvalds
2020-08-07 19:59 ` Marc Plumb
2020-08-07 22:19 ` Willy Tarreau
2020-08-07 22:45 ` Marc Plumb
2020-08-07 23:11 ` Willy Tarreau
2020-08-05 22:05 ` tytso
2020-08-05 23:03 ` Andy Lutomirski
2020-08-06 17:00 ` Marc Plumb
2020-08-05 16:24 ` Jason A. Donenfeld
2020-08-05 16:53 ` Willy Tarreau
2020-08-05 15:44 ` Marc Plumb
2020-08-05 16:39 ` Linus Torvalds
2020-08-05 23:49 ` Stephen Hemminger
2020-08-08 15:26 George Spelvin
2020-08-08 17:07 ` Andy Lutomirski
2020-08-08 18:08 ` Willy Tarreau
2020-08-08 18:13 ` Linus Torvalds
2020-08-08 19:03 ` George Spelvin
2020-08-08 19:49 ` Andy Lutomirski
2020-08-08 21:29 ` George Spelvin
2020-08-08 17:44 ` Willy Tarreau
2020-08-08 18:19 ` Linus Torvalds
2020-08-08 18:53 ` Willy Tarreau
2020-08-08 20:47 ` George Spelvin
2020-08-08 20:52 ` Linus Torvalds
2020-08-08 22:27 ` George Spelvin
2020-08-09 2:07 ` Linus Torvalds
2020-08-11 16:01 ` Eric Dumazet
2020-08-08 19:18 ` Florian Westphal
2020-08-08 20:59 ` George Spelvin
2020-08-08 21:18 ` Willy Tarreau
2020-08-08 20:08 ` George Spelvin
2020-08-08 20:47 ` Linus Torvalds
-- strict thread matches above, loose matches on Subject: below --
2020-08-12 6:03 Sedat Dilek
2020-08-12 6:35 ` Sedat Dilek
2020-08-12 7:13 ` Sedat Dilek
2020-08-12 15:16 ` Eric Dumazet
2020-08-12 16:20 ` Sedat Dilek
2020-08-12 16:24 ` Eric Dumazet
2020-08-12 16:38 ` Sedat Dilek
2020-08-19 9:51 ` Sedat Dilek
2021-01-08 13:08 ` Sedat Dilek
2021-01-08 13:51 ` Sedat Dilek
2021-01-08 15:41 ` Eric Dumazet
2021-01-08 21:32 ` Sedat Dilek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=c200297c-85a5-dd50-9497-6fcf7f07b727@gmail.com \
--to=lkml.mplumb@gmail.com \
--cc=Jason@zx2c4.com \
--cc=aksecurity@gmail.com \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).