lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Sat, 30 Apr 2022 10:08:30 +0800
From:   Sandy Harris <sandyinchina@...il.com>
To:     "Jason A. Donenfeld" <Jason@...c4.com>
Cc:     nadiah@...ucsd.edu, noahsd@...il.com, dodis@...nyu.edu,
        tessaro@...washington.edu,
        Linus Torvalds <torvalds@...ux-foundation.org>, djb@...yp.to,
        "Ted Ts'o" <tytso@....edu>,
        Jean-Philippe Aumasson <jeanphilippe.aumasson@...il.com>,
        Jann Horn <jann@...jh.net>, Kees Cook <keescook@...omium.org>,
        Greg Kroah-Hartman <gregkh@...uxfoundation.org>,
        peter@...ptojedi.org,
        Linux Crypto Mailing List <linux-crypto@...r.kernel.org>,
        LKML <linux-kernel@...r.kernel.org>
Subject: Re: is "premature next" a real world rng concern, or just an academic exercise?

Jason A. Donenfeld <Jason@...c4.com> wrote:

> The Linux kernel RNG currently pretends to care about the "premature
> next" RNG threat model. I'm wondering whether this is sensible and
> corresponds to anything real.
>
> "Premature next" is the scenario in which:
> - Attacker compromises the current state of a fully initialized RNG with
>   a wild 'n crazy kernel infoleak.
> - New bits of entropy are added directly to the key used to generate the
>   /dev/urandom stream, without any buffering or pooling.

So don't do that, then. Keep a separate input pool/buffer and put
only hashed outputs from ir into the output pool.

> - Attacker then, somehow having read access to /dev/urandom, samples RNG
>   output and brute forces the individual new bits that were added.
> - Result: the RNG never "recovers" from the initial compromise, a
>   so-called violation of what academics term "post-compromise security".

Use chunks big enough for "catastrophic reseeding", impractical to
brute force, at least 64 bits & preferably larger.

>  Fortuna requires non-zero code
> complexity; does the benefit outweigh the cost of such complexity?

I'd say certainly not.

> The questions are thus:
> ...
> 3) More broadly speaking, what kernel infoleak is actually acceptable to
>    the degree that anybody would feel okay in the first place about the
>    system continuing to run after it's been compromised?

If we have a good entropy source -- e.g. running on an Intel CPU
& consider their RNG instruction trustworthy, or in a VM & trust
the host -- then we should be able to guarantee recovery at the
next reseeding. Just dump at least 128 bits from that source
into the input pool before hashing.

The interesting question is whether & how soon we can guarantee
recovery if no such source is available, we rely only on entropy
gathering from interrupts, with or without the gcc latent entropy
plugin.

> Is "premature next" just an academic exercise, rather than a real world
> RNG concern?

No.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ