| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Sep 2011 09:55:15 -0400 From: Jarod Wilson <jarod@...hat.com> To: Valdis.Kletnieks@...edu CC: Sandy Harris <sandyinchina@...il.com>, Steve Grubb <sgrubb@...hat.com>, Neil Horman <nhorman@...hat.com>, Tomas Mraz <tmraz@...hat.com>, Sasha Levin <levinsasha928@...il.com>, "Ted Ts'o" <tytso@....edu>, linux-crypto@...r.kernel.org, Matt Mackall <mpm@...enic.com>, Herbert Xu <herbert.xu@...hat.com>, Stephan Mueller <stephan.mueller@...ec.com>, lkml <linux-kernel@...r.kernel.org> Subject: Re: [PATCH] random: add blocking facility to urandom Valdis.Kletnieks@...edu wrote: > On Fri, 09 Sep 2011 10:21:13 +0800, Sandy Harris said: >> Barring a complete failure of SHA-1, an enemy who wants to >> infer the state from outputs needs astronomically large amounts >> of both data and effort. > > So let me get this straight - the movie-plot attack we're defending against is > somebody readin literally gigabytes to terabytes (though I suspect realistic > attacks will require peta/exabytes) of data from /dev/urandom, then performing > all the data reduction needed to infer the state of enough of the entropy pool > to infer all 160 bits of SHA-1 when only 80 bits are output... > > *and* doing it all without taking *any* action that adds any entropy to the > pool, and *also* ensuring that no other programs add any entropy via their > actions before the reading and data reduction completes. (Hint - if the > attacker can do this, you're already pwned and have bigger problems) > > /me thinks RedHat needs to start insisting on random drug testing for > their security experts at BSI. EIther that, or force BSI to share the > really good stuff they've been smoking, or they need to learn how huge > a number 2^160 *really* is.... Well, previously, we were looking at simply improving random entropy contributions, but quoting Matt Mackall from here: http://www.mail-archive.com/linux-crypto@vger.kernel.org/msg05799.html 'I recommend you do some Google searches for "ssl timing attack" and "aes timing attack" to get a feel for the kind of seemingly impossible things that can be done and thereby recalibrate your scale of the impossible.' :) Note: I'm not a crypto person. At all. I'm just the "lucky" guy who got tagged to work on trying to implement various suggestions to satisfy various government agencies. -- Jarod Wilson jarod@...hat.com -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists