lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Wed, 5 Aug 2020 18:24:53 +0200
From:   "Jason A. Donenfeld" <Jason@...c4.com>
To:     "Theodore Ts'o" <tytso@....edu>
Cc:     Willy Tarreau <w@....eu>, Marc Plumb <lkml.mplumb@...il.com>,
        Netdev <netdev@...r.kernel.org>,
        Amit Klein <aksecurity@...il.com>,
        Linus Torvalds <torvalds@...ux-foundation.org>,
        Eric Dumazet <edumazet@...gle.com>,
        Andrew Lutomirski <luto@...nel.org>,
        Kees Cook <keescook@...omium.org>,
        Thomas Gleixner <tglx@...utronix.de>,
        Peter Zijlstra <peterz@...radead.org>,
        stable <stable@...r.kernel.org>
Subject: Re: Flaw in "random32: update the net random state on interrupt and activity"

On Wed, Aug 5, 2020 at 6:07 PM <tytso@....edu> wrote:
> That being said, it certainly is a certificational / theoretical
> weakness

random.c is filled with super suspicious things that are probably only
correct by accident, or only correct in practice, but in theory it's
just such a mess. Stupid example if I'm remembering correctly: you
fill the sha1 IV with input from rdrand; if rdrand is borked or
backdoored or whatever, then the security of sha1 there reduces to
shacal1, which isn't totally broken, far from it actually, so we're
fine there, but you can't help but look at that and say "ugh." I'll
rewrite that eventually. Anyway, having another "certificational
weakness", as you put it, that isn't a practical one would be par for
the course with random.c

> , and if the bright boys and girls at Fort Meade did figure
> out a way to exploit this, they are very much unlikely to share it at
> an open Crypto conference.  So replacing LFSR-based PRnG with
> something stronger which didn't release any bits from the fast_pool
> would certainly be desireable, and I look forward to seeing what Willy
> has in mind.

This disaster is partially my fault. I was going to make
get_random_u{32,64} fast enough that we could get rid of the fake rng
stuff, and then Covid things got weird and I haven't gotten refocused
on that yet. Andy started that, and I was supposed to pick up his work
and complete it, but I dropped the ball. I kept meaning to get back to
that, but I'd get discouraged every time I saw Willy sending more
messages about improving the fake rng stuff with more fake rng stuff.
But, seems like it's time for me to step on the pedal a bit and get
that working. So hopefully we'll be able to get rid of the code in
question here, and use a good rng everywhere. I'll send an update on
that if I get it working.


Jason

Powered by blists - more mailing lists