lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20140521202934.GA30084@logfs.org>
Date:	Wed, 21 May 2014 16:29:35 -0400
From:	Jörn Engel <joern@...fs.org>
To:	Andi Kleen <andi@...stfloor.org>
Cc:	Theodore Ts'o <tytso@....edu>, "H. Peter Anvin" <hpa@...or.com>,
	lkml <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH] random: mix all saved registers into entropy pool

On Wed, 21 May 2014 21:39:05 +0200, Andi Kleen wrote:
> 
> > I think leaking of private keys or similar information is not a
> > concern.  But please prove me wrong.  Better you now than someone else
> > later.
> 
> While I don't have a concrete exploit it seems seems dangerous to me. 
> The LibreSSL people just removed a similar behavior from OpenSSL.

Similar, yes.  But there is a difference:
Unconditionally mixing your private key into the entropy pool yields
zero entropy.  While your private is hopefully unpredictable to an
attacker, it never changes.  OpenSSL mixed the private keys for no
benefit.

The reason why I want this patch in is to avoid a different
non-theoretical dangerous situation.  get_cycles() returns 0 on
several architectures and Ted's recent "improvements" are thus far
only noise.  Architectures could define random_get_entropy() to
something else, but no architecture does it.  Therefore we have
millions of embedded systems with interrupts as their sole entropy
source and jiffies as the only timestamp component.

To top it off, those same systems usually lack a read-write filesystem
and will not initialize /dev/random from state read out before the
last reboot.  Now try to estimate how much time has to pass since
reboot until those systems have accumulated 128 bits of entropy.  I
have not heard an estimate from anyone yet.

If you have an alternative approach to fix this very real problem
without potentially leaking private keys under conditions that also
allow more efficient attacks, I would love to know about it.  So far
this is my best attempt and it beats all alternatives I know about.
Which just shows you how horrible the alternatives are.

Also see:
http://blog.fefe.de/?ts=ada960dc
https://factorable.net/weakkeys12.extended.pdf

Jörn

--
The art of propaganda is not telling lies, but rather selecting
the truth you require and giving it mixed up with some truths
the audience wants to hear.
-- Richard Crossman
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ