| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <b9ce7eec-e573-f187-feb5-b1110313f2ac@zytor.com> Date: Mon, 20 Jun 2016 11:52:10 -0700 From: "H. Peter Anvin" <hpa@...or.com> To: Stephan Mueller <smueller@...onox.de>, "Theodore Ts'o" <tytso@....edu> Cc: Herbert Xu <herbert@...dor.apana.org.au>, Linux Kernel Developers List <linux-kernel@...r.kernel.org>, linux-crypto@...r.kernel.org, andi@...stfloor.org, sandyinchina@...il.com, jsd@...n.com Subject: Re: [PATCH 5/7] random: replace non-blocking pool with a Chacha20-based CRNG On 06/20/16 08:49, Stephan Mueller wrote: > Am Montag, 20. Juni 2016, 11:01:47 schrieb Theodore Ts'o: > > Hi Theodore, > >> >> So simply doing chacha20 encryption in a tight loop in the kernel >> might not be a good proxy for what would actually happen in real life >> when someone calls getrandom(2). (Another good question to ask is >> when someone might be needing to generate millions of 256-bit session >> keys per second, when the D-H setup, even if you were using ECCDH, >> would be largely dominating the time for the connection setup anyway.) > > Is speed everything we should care about? What about: > > - offloading of crypto operation from the CPU > This sounds like a speed operation (and very unlikely to be a win given the usage). > - potentially additional security features a hardware cipher may provide like > cache coloring attack resistance? How about burning that bridge when and if we get to it? It sounds very hypothetical. I guess I could add in some comments here about how a lot of these problems can be eliminated by offloading an entire DRNG into hardware, but I don't think it is productive. -hpa
Powered by blists - more mailing lists