| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <985108b1-6d51-4458-48de-c5b96c5f14f9@redhat.com>
Date: Tue, 16 Apr 2019 10:09:29 +0200
From: Paolo Bonzini <pbonzini@...hat.com>
To: Pascal Van Leeuwen <pvanleeuwen@...idesecure.com>,
Hao Feng <fenghao@...on.cn>,
'Tom Lendacky ' <thomas.lendacky@....com>,
'Gary Hook ' <gary.hook@....com>,
'Herbert Xu ' <herbert@...dor.apana.org.au>,
"' David S. Miller '" <davem@...emloft.net>,
'Janakarajan Natarajan ' <Janakarajan.Natarajan@....com>,
'Joerg Roedel ' <joro@...tes.org>,
' Radim Krčmář ' <rkrcmar@...hat.com>,
'Thomas Gleixner ' <tglx@...utronix.de>,
'Ingo Molnar ' <mingo@...hat.com>,
'Borislav Petkov ' <bp@...en8.de>,
"' H. Peter Anvin '" <hpa@...or.com>
Cc: 'Zhaohui Du ' <duzhaohui@...on.cn>,
'Zhiwei Ying ' <yingzhiwei@...on.cn>,
'Wen Pu ' <puwen@...on.cn>,
"x86@...nel.org" <x86@...nel.org>,
"linux-crypto@...r.kernel.org" <linux-crypto@...r.kernel.org>,
"kvm@...r.kernel.org" <kvm@...r.kernel.org>,
"linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>
Subject: Re: [PATCH 0/6] Add Hygon SEV support
On 16/04/19 08:58, Pascal Van Leeuwen wrote:
>>> Besides that, they are in heavy practical use in mainland China,
>>> usually as direct replacements for SHA2-256 and AES in whatever
>>> protocol or use case you need: IPsec, TLS, WPA2, XTS for disk encryption,
>>> you name it.
>>
>> How should that mean anything?
>
> Uhm ... no, the fact that something is actually *useful* to potentially
> a billion plus people doesn't mean anything ...
Useful does not mean secure, does it? PKZIP encryption was certainly
useful back in the day, but it was not secure.
>> I did educate myself a bit, but I'm not an expert in cryptography, so I
>> would like to be sure that these are not another Speck or DUAL-EC-DRBG.
>
> Innocent until proven guilty mean anything to you?
This is not a court of justice, it's a software project. For that
matter "certainty beyond reasonable doubt" is not a thing either in this
context.
>> "SM2 is based on ECC(Elliptic Curve Cryptography), and uses a special
>> curve" is enough for me to see warning signs, at least without further
>> explanations,
>>
> The specification is public (if you can read Chinese, anyway), so open to
> analysis. Either way, it's quite irrelevant to Chinese organisations that
> HAVE to use SM2. And anyone else can just decide NOT to use it, you don't
> even have to compile it into your kernel. It's called freedom.
"Freedom" didn't apply when Speck was proposed for inclusion in Linux,
and I would like to make sure I don't make a mistake when adding crypto
interfaces. If SM2/3/4 were broken, I couldn't care less if someone HAS
to use them, they can patch their kernel. But if they're not then I
appreciate that you wrote to correct me, it's helpful. Please
understand that 99% of the community has not ever heard of anything but
SHA-{1,2,3}, ECDSA, Ed25519, AES. If somebody comes up with a patch
with "strange" crypto, it's up to them to say that they are secure---and
again, the key word is secure, not useful.
Paolo
>> and so does the fact that the initial SM3 values were
>> changed from SHA-2 and AFAICT there is no public justification for
>> that.
>>
> Actually, SM3 is an *improvement* on SHA-2, and there has been ample
> analysis done on that to, in fact, confirm it's (slightly) better.
> So there IS public justification. Don't shout if you don't know the
> facts.
Powered by blists - more mailing lists