lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date:   Sat, 8 Aug 2020 10:07:51 -0700
From:   Andy Lutomirski <luto@...capital.net>
To:     George Spelvin <lkml@....org>
Cc:     netdev@...r.kernel.org, w@....eu, aksecurity@...il.com,
        torvalds@...ux-foundation.org, edumazet@...gle.com,
        Jason@...c4.com, luto@...nel.org, keescook@...omium.org,
        tglx@...utronix.de, peterz@...radead.org, tytso@....edu,
        lkml.mplumb@...il.com, stephen@...workplumber.org
Subject: Re: Flaw in "random32: update the net random state on interrupt and activity"


> On Aug 8, 2020, at 8:29 AM, George Spelvin <lkml@....org> wrote:
> 

> And apparently switching to the fastest secure PRNG currently
> in the kernel (get_random_u32() using ChaCha + per-CPU buffers)
> would cause too much performance penalty.

Can someone explain *why* the slow path latency is particularly relevant here?  What workload has the net code generating random numbers in a place where even a whole microsecond is a problem as long as the amortized cost is low?  (I’m not saying I won’t believe this matters, but it’s not obvious to me that it matters.)

>    - Cryptographically strong ChaCha, batched
>    - Cryptographically strong ChaCha, with anti-backtracking.

I think we should just anti-backtrack everything.  With the “fast key erasure” construction, already implemented in my patchset for the buffered bytes, this is extremely fast.

Powered by blists - more mailing lists