netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Willy Tarreau <w@1wt.eu>
To: Marc Plumb <lkml.mplumb@gmail.com>
Cc: tytso@mit.edu, netdev@vger.kernel.org, aksecurity@gmail.com,
	torvalds@linux-foundation.org, edumazet@google.com,
	Jason@zx2c4.com, luto@kernel.org, keescook@chromium.org,
	tglx@linutronix.de, peterz@infradead.org, stable@vger.kernel.org
Subject: Re: Flaw in "random32: update the net random state on interrupt and activity"
Date: Wed, 5 Aug 2020 04:49:41 +0200	[thread overview]
Message-ID: <20200805024941.GA17301@1wt.eu> (raw)
In-Reply-To: <9f74230f-ba4d-2e19-5751-79dc2ab59877@gmail.com>

Hi Marc,

On Tue, Aug 04, 2020 at 05:52:36PM -0700, Marc Plumb wrote:
> Seeding two PRNGs with the same entropy causes two problems. The minor one
> is that you're double counting entropy. The major one is that anyone who can
> determine the state of one PRNG can determine the state of the other.
> 
> The net_rand_state PRNG is effectively a 113 bit LFSR, so anyone who can see
> any 113 bits of output can determine the complete internal state.
> 
> The output of the net_rand_state PRNG is used to determine how data is sent
> to the network, so the output is effectively broadcast to anyone watching
> network traffic. Therefore anyone watching the network traffic can determine
> the seed data being fed to the net_rand_state PRNG.

The problem this patch is trying to work around is that the reporter
(Amit) was able to determine the entire net_rand_state after observing
a certain number of packets due to this trivial LFSR and the fact that
its internal state between two reseedings only depends on the number
of calls to read it. (please note that regarding this point I'll
propose a patch to replace that PRNG to stop directly exposing the
internal state to the network).

If you look closer at the patch, you'll see that in one interrupt
the patch only uses any 32 out of the 128 bits of fast_pool to
update only 32 bits of the net_rand_state. As such, the sequence
observed on the network also depends on the remaining bits of
net_rand_state, while the 96 other bits of the fast_pool are not
exposed there.

> Since this is the same
> seed data being fed to get_random_bytes, it allows an attacker to determine
> the state and there output of /dev/random. I sincerely hope that this was
> not the intended goal. :)

Not only was this obviously not the goal, but I'd be particularly
interested in seeing this reality demonstrated, considering that
the whole 128 bits of fast_pool together count as a single bit of
entropy, and that as such, even if you were able to figure the
value of the 32 bits leaked to net_rand_state, you'd still have to
guess the 96 other bits for each single entropy bit :-/

Regards,
Willy

  parent reply	other threads:[~2020-08-05  2:49 UTC|newest]

Thread overview: 64+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <9f74230f-ba4d-2e19-5751-79dc2ab59877@gmail.com>
2020-08-05  0:57 ` Flaw in "random32: update the net random state on interrupt and activity" Marc Plumb
2020-08-05  1:02 ` Linus Torvalds
2020-08-05  2:49 ` Willy Tarreau [this message]
2020-08-05 15:34   ` tytso
2020-08-05 16:06     ` Marc Plumb
2020-08-05 19:38       ` Willy Tarreau
2020-08-05 22:21         ` Marc Plumb
2020-08-06  6:30           ` Willy Tarreau
2020-08-06 17:18             ` Marc Plumb
2020-08-07  7:03               ` Willy Tarreau
2020-08-07 16:52                 ` Marc Plumb
2020-08-07 17:43                   ` Willy Tarreau
     [not found]                     ` <C74EC3BC-F892-416F-A95C-4ACFC96EEECE@amacapital.net>
2020-08-07 18:04                       ` Willy Tarreau
2020-08-07 18:10                       ` Linus Torvalds
2020-08-07 19:08                         ` Andy Lutomirski
2020-08-07 19:21                           ` Linus Torvalds
2020-08-07 19:33                             ` Andy Lutomirski
2020-08-07 19:56                               ` Linus Torvalds
2020-08-07 20:16                                 ` Andy Lutomirski
2020-08-07 20:24                                   ` Linus Torvalds
2020-08-07 19:59                     ` Marc Plumb
2020-08-07 22:19                       ` Willy Tarreau
2020-08-07 22:45                         ` Marc Plumb
2020-08-07 23:11                           ` Willy Tarreau
2020-08-05 22:05       ` tytso
2020-08-05 23:03         ` Andy Lutomirski
2020-08-06 17:00         ` Marc Plumb
2020-08-05 16:24     ` Jason A. Donenfeld
2020-08-05 16:53     ` Willy Tarreau
2020-08-05 15:44   ` Marc Plumb
2020-08-05 16:39     ` Linus Torvalds
2020-08-05 23:49       ` Stephen Hemminger
2020-08-08 15:26 George Spelvin
2020-08-08 17:07 ` Andy Lutomirski
2020-08-08 18:08   ` Willy Tarreau
2020-08-08 18:13   ` Linus Torvalds
2020-08-08 19:03   ` George Spelvin
2020-08-08 19:49     ` Andy Lutomirski
2020-08-08 21:29       ` George Spelvin
2020-08-08 17:44 ` Willy Tarreau
2020-08-08 18:19   ` Linus Torvalds
2020-08-08 18:53     ` Willy Tarreau
2020-08-08 20:47     ` George Spelvin
2020-08-08 20:52       ` Linus Torvalds
2020-08-08 22:27         ` George Spelvin
2020-08-09  2:07           ` Linus Torvalds
2020-08-11 16:01             ` Eric Dumazet
2020-08-08 19:18   ` Florian Westphal
2020-08-08 20:59     ` George Spelvin
2020-08-08 21:18     ` Willy Tarreau
2020-08-08 20:08   ` George Spelvin
2020-08-08 20:47     ` Linus Torvalds
2020-08-12  6:03 Sedat Dilek
2020-08-12  6:35 ` Sedat Dilek
2020-08-12  7:13   ` Sedat Dilek
2020-08-12 15:16 ` Eric Dumazet
2020-08-12 16:20   ` Sedat Dilek
2020-08-12 16:24     ` Eric Dumazet
2020-08-12 16:38       ` Sedat Dilek
2020-08-19  9:51         ` Sedat Dilek
2021-01-08 13:08       ` Sedat Dilek
2021-01-08 13:51         ` Sedat Dilek
2021-01-08 15:41           ` Eric Dumazet
2021-01-08 21:32             ` Sedat Dilek

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200805024941.GA17301@1wt.eu \
    --to=w@1wt.eu \
    --cc=Jason@zx2c4.com \
    --cc=aksecurity@gmail.com \
    --cc=edumazet@google.com \
    --cc=keescook@chromium.org \
    --cc=lkml.mplumb@gmail.com \
    --cc=luto@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=peterz@infradead.org \
    --cc=stable@vger.kernel.org \
    --cc=tglx@linutronix.de \
    --cc=torvalds@linux-foundation.org \
    --cc=tytso@mit.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).