| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 11 Nov 2019 18:48:09 +0100
From: Thiemo Nagel <tnagel@...gle.com>
To: Eric Dumazet <edumazet@...gle.com>
Cc: David Miller <davem@...emloft.net>,
netdev <netdev@...r.kernel.org>,
Eric Dumazet <eric.dumazet@...il.com>
Subject: Re: [PATCH net] inet: stop leaking jiffies on the wire
Hey Eric,
I think we should distinguish two different problems here:
a) There's insufficient entropy to seed the RNG. As a consequence,
observing a (partial) sequence of numbers may allow an attacker to
determine the internal state, independently of whether the RNG is
cryptographically secure or not.
b) The RNG is not cryptographically secure. In that case, observing a
(partial) sequence of numbers may allow an attacker to determine the
internal state, independent of the amount of entropy that was used to
seed it.
Problem a) is hard -- as you mention, it may require hardware support
to solve it fully. However the problem that I'm suggesting to address
is b), and that likely can be solved by swapping out prandom_u32() for
get_random_u32().
> If IP ID had to be cryptographically secure, you can be sure we would
> have addressed the problem 20 years ago.
I don't think this is a valid point at all. There are countless
examples of things that weren't known 20 years ago but that are better
understood today. One relevant example is RFC7258 which only came out
in 2014.
Kind regards,
Thiemo
Powered by blists - more mailing lists