| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20090507165545.GK31071@waste.org> Date: Thu, 7 May 2009 11:55:45 -0500 From: Matt Mackall <mpm@...enic.com> To: Florian Weimer <fweimer@....de> Cc: Linus Torvalds <torvalds@...ux-foundation.org>, Ingo Molnar <mingo@...e.hu>, "Eric W. Biederman" <ebiederm@...ssion.com>, Arjan van de Ven <arjan@...radead.org>, Jake Edge <jake@....net>, security@...nel.org, Linux Kernel Mailing List <linux-kernel@...r.kernel.org>, James Morris <jmorris@...ei.org>, linux-security-module@...r.kernel.org, Eric Paris <eparis@...hat.com>, Alan Cox <alan@...rguk.ukuu.org.uk>, Roland McGrath <roland@...hat.com>, mingo@...hat.com, Andrew Morton <akpm@...ux-foundation.org>, Greg KH <greg@...ah.com>, Dave Jones <davej@...hat.com> Subject: Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes On Thu, May 07, 2009 at 05:16:27PM +0200, Florian Weimer wrote: > * Matt Mackall: > > > On Wed, May 06, 2009 at 09:48:20AM -0700, Linus Torvalds wrote: > >> > >> Matt, are you willing to ack my suggested patch which adds history to the > >> mix? Did somebody test that? I have this memory of there being an > >> "exploit" program to show the non-randomness of the values, but I can't > >> recall details, and would really want to get a second opinion from > >> somebody who cares about PRNG's. > > > > I still don't like it. I bounced it off some folks on the adversarial > > side of things and they didn't think it looked strong enough either. > > Full MD5 collisions can be generated about as fast as they can be > > checked, which makes _reduced strength_ MD4 not much better than an > > LFSR in terms of attack potential. > > Well, with periodic reseeding, even that shouldn't be a problem. You > don't need collision resistance at all, so those MD5 attacks don't > tell you anything about the difficulty of state recovery/prediction > attacks on your variant. It's *not* MD5. It's a reduced-round MD4. And MD4 is already many orders of magnitude weaker than MD5. It's so weak in fact that collisions can be generated in O(1)[1]. Hard to get much weaker than that, except by, say, using something like our reduced-round variant. It's not much of a stretch of the imagination to think that such an amazingly weak hash might reveal our hidden state quite rapidly, especially when used in a feedback mode. [1] http://eprint.iacr.org/2005/151.pdf We have a better hash function handy, and it's only takes twice as long. > On the other hand, most people who need a quick, unpredictable source > of randomness seem to use RC4 with a random key initialized from a > more costly source. Using a stream cipher is a fine idea. Ted and I have recently discussed adding this as a layer to the stock RNG. We haven't used it historically because of a) export restrictions and b) unsuitability of the cryptoapi interface. > Oh, and you should really, really ditch that Tausworthe generator (in > lib/random32.c). I'm not responsible for that particular bad idea. -- Mathematics is the supreme nostalgia of our time. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists