[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <532659F5.2030005@zytor.com>
Date: Sun, 16 Mar 2014 19:12:05 -0700
From: "H. Peter Anvin" <hpa@...or.com>
To: Matt Mackall <mpm@...enic.com>, Kees Cook <keescook@...omium.org>
CC: Jason Cooper <jason@...edaemon.net>,
"Theodore Ts'o" <tytso@....edu>,
LKML <linux-kernel@...r.kernel.org>,
Herbert Xu <herbert@...dor.apana.org.au>,
Rusty Russell <rusty@...tcorp.com.au>,
Satoru Takeuchi <satoru.takeuchi@...il.com>,
linux-crypto <linux-crypto@...r.kernel.org>,
Andrew Morton <akpm@...ux-foundation.org>
Subject: Re: [PATCH][RESEND 3] hwrng: add randomness to system from rng sources
On 03/04/2014 02:39 PM, Matt Mackall wrote:
>
> [temporarily coming out of retirement to provide a clue]
>
> The pool mixing function is intentionally _reversible_. This is a
> crucial security property.
>
> That means, if I have an initial secret pool state X, and hostile
> attacker controlled data Y, then we can do:
>
> X' = mix(X, Y)
>
> and
>
> X = unmix(X', Y)
>
> We can see from this that the combination of (X' and Y) still contain
> the information that was originally in X. Since it's clearly not in Y..
> it must all remain in X'.
>
This of course assumes that the attacker doesn't know the state of the
pool X.
The other thing to note is that reversible doesn't necessarily mean
linear (the current mixing function is linear.) AES, for example, is
reversible (if and only if you possess the key) but is highly nonlinear.
I'm not saying we should use AES to mix the pool -- it is almost
guaranteed to be too expensive.
-hpa
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists