lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Fri, 7 Aug 2020 12:59:48 -0700
From:   Marc Plumb <lkml.mplumb@...il.com>
To:     Willy Tarreau <w@....eu>
Cc:     tytso@....edu, netdev@...r.kernel.org, aksecurity@...il.com,
        torvalds@...ux-foundation.org, edumazet@...gle.com,
        Jason@...c4.com, luto@...nel.org, keescook@...omium.org,
        tglx@...utronix.de, peterz@...radead.org, stable@...r.kernel.org
Subject: Re: Flaw in "random32: update the net random state on interrupt and
 activity"


On 2020-08-07 10:43 a.m., Willy Tarreau wrote:
>
>> Which means that it's 2^32 effort to brute force this (which Amit called "no
>> biggie for modern machines"). If the noise is the raw sample data with only
>> a few bits of entropy, then it's even easier to brute force.
> Don't you forget to multiply by another 2^32 for X being folded onto itself ?
> Because you have 2^32 possible values of X which will give you a single 32-bit
> output value for a given noise value.

If I can figure the state out once, then the only new input is the 
noise, so that's the only part I have to brute force. Throwing the noise 
in makes it more difficult to get that state once, but once I have it 
then this type of reseeding doesn't help.


>> Is there a hard instruction budget for this, or it is
>> just "fast enough to not hurt the network benchmarks" (i.e. if Dave Miller
>> screams)?
> It's not just Davem. I too am concerned about wasting CPU cycles in fast
> path especially in the network code. A few half-percent gains are hardly
> won once in a while in this area and in some infrastructures they matter.
> Not much but they do.

That's why I was asking. I don't have the same experience as you for 
what acceptable is. I think it might be possible to do a decent CPRNG 
(that's at least had some cryptanalys of it) with ~20 instructions per 
word, but if that's not fast enough then I'll think about other options.

Marc

Powered by blists - more mailing lists