lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090506212405.GB4861@elte.hu>
Date:	Wed, 6 May 2009 23:24:05 +0200
From:	Ingo Molnar <mingo@...e.hu>
To:	Matt Mackall <mpm@...enic.com>
Cc:	Linus Torvalds <torvalds@...ux-foundation.org>,
	"Eric W. Biederman" <ebiederm@...ssion.com>,
	Arjan van de Ven <arjan@...radead.org>,
	Jake Edge <jake@....net>, security@...nel.org,
	Linux Kernel Mailing List <linux-kernel@...r.kernel.org>,
	James Morris <jmorris@...ei.org>,
	linux-security-module@...r.kernel.org,
	Eric Paris <eparis@...hat.com>,
	Alan Cox <alan@...rguk.ukuu.org.uk>,
	Roland McGrath <roland@...hat.com>, mingo@...hat.com,
	Andrew Morton <akpm@...ux-foundation.org>,
	Greg KH <greg@...ah.com>, Dave Jones <davej@...hat.com>
Subject: Re: [patch] random: make get_random_int() more random


* Matt Mackall <mpm@...enic.com> wrote:

> On Wed, May 06, 2009 at 10:51:45PM +0200, Ingo Molnar wrote:
> > Linus's patch is a marked improvement, and it is really what we need 
> > here mostly.
> 
> No one's arguing that it isn't an improvement. But -15 years of 
> research- points to MD4 (let alone **half**MD4) being 
> insufficient. To counter that, two non-cryptanalysts have 
> presented nothing beyond "it seems strong enough to me" and "it 
> passes a meaningless test". Pardon me if I'm not satisfied by 
> that.

So is it your point that mixing the cycle counter with a bad hash 
function is not sufficient? Not sufficient in precisely what threat 
model and against what attack vector? I'd like to hear specifics. 
The URLs pasted in this thread were inapposite - they were using 
information leaks from privileged contexts. If you have relevant 
URLs then please share them.

Are you worried about an attacker being able to run analysis code 
locally, trigger get_random_int() and observe its results, and then 
start a privileged context and know its address space layout?

I can tell you with near certainty that if we mix in the cycle 
counter (and those other task local and call local details) that 
then this attack vector is not practical on x86, at all.

( This particular attack would probably not be feasible even if we 
  used rot13 as the hash plus the cycle counter and the other values 
  - although i certainly feel more confident about this argument 
  with half-md4 in place as the hash. )

> > We cannot afford true physical randomness (it's too expensive to 
> > get and not all hw has it), and even a 'good' PRNG is pretty 
> > expensive.
> 
> And what of my suggestion (multiple times now) to replace halfMD4 
> with SHA1? Or AES. Or any cryptographic primitive that's not known 
> to be completely worthless?

They are all rather expensive, while the existing usage pattern for 
get_random_int() is really: "i want some randomness but also want it 
to be fast".

	Ingo
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ