lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <6601569a-f339-bc2c-0459-5548a21d0595@gmail.com>
Date:   Tue, 17 Sep 2019 18:11:04 +0500
From:   "Alexander E. Patrakov" <patrakov@...il.com>
To:     "Theodore Y. Ts'o" <tytso@....edu>,
        Martin Steigerwald <martin@...htvoll.de>
Cc:     Willy Tarreau <w@....eu>, Matthew Garrett <mjg59@...f.ucam.org>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        "Ahmed S. Darwish" <darwish.07@...il.com>,
        Vito Caputo <vcaputo@...garu.com>,
        Lennart Poettering <mzxreary@...inter.de>,
        Andreas Dilger <adilger.kernel@...ger.ca>,
        Jan Kara <jack@...e.cz>, Ray Strode <rstrode@...hat.com>,
        William Jon McCann <mccann@....edu>,
        zhangjs <zachary@...shancloud.com>, linux-ext4@...r.kernel.org,
        lkml <linux-kernel@...r.kernel.org>
Subject: Re: Linux 5.3-rc8

17.09.2019 17:11, Theodore Y. Ts'o пишет:
> There are only two ways out of this mess.  The first option is we take
> functionality away from a userspace author who Really Wants A Secure
> Random Number Generator.  And there are an awful lot of programs who
> really want secure crypto, becuase this is not a hypothetical.  The
> result in "Mining your P's and Q's" did happen before.  If we forget
> the history, we are doomed to repeat it.

You cannot take away functionality that does not really exist. Every 
time somebody tries to use it, there is a huge news, "the boot process 
is blocked on application FOO", followed by an insecure fallback to 
/dev/urandom in the said application or library.

Regarding the "Mining your P's and Q's" paper: I would say it is a 
combination of TWO faults, only one of which (poor, or, as explained 
below, "marginally poor" entropy) is discussed and the other one (not 
really sound crypto when deriving the RSA key from the 
presumedly-available entropy) is ignored.

The authors of the paper factored the weak keys by applying the 
generalized GCD algorithm, thus looking for common factors in the RSA 
public keys. For two RSA public keys to be detected as faulty, they must 
share exactly one of their prime factors. In other words: repeated keys 
were specifically excluded from the study by the paper authors.

Sharing only one of the two primes means that that the systems in 
question behaved identically when they generated the first prime, but 
diverged (possibly due to the extra entropy becoming available) when 
they generated the second one. And asking the randomness for p and for q 
separately is what I would call the application bug here that nobody 
wants to talk about: both p and q should have been derived from a CSPRNG 
seeded by a single read from a random source. If that practice were 
followed, then it would either result in a duplicate key (which is not 
as bad as a factorable one), or in completely unrelated keys.

-- 
Alexander E. Patrakov


Download attachment "smime.p7s" of type "application/pkcs7-signature" (4052 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ