From: Theodore Ts'o <tytso@mit.edu>
To: kernel-hardening@lists.openwall.com
Cc: Jason@zx2c4.com, linux@sciencehorizons.net, ak@linux.intel.com,
davem@davemloft.net, David.Laight@aculab.com, djb@cr.yp.to,
ebiggers3@gmail.com, hannes@stressinduktion.org,
jeanphilippe.aumasson@gmail.com, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, luto@amacapital.net,
netdev@vger.kernel.org, tom@herbertland.com,
torvalds@linux-foundation.org, vegard.nossum@gmail.com
Subject: Re: Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF
Date: Sat, 17 Dec 2016 10:41:52 -0500 [thread overview]
Message-ID: <20161217154152.5oug7mzb4tmfknwv@thunk.org> (raw)
In-Reply-To: <20161217021503.32767.qmail@ns.sciencehorizons.net>
On Fri, Dec 16, 2016 at 09:15:03PM -0500, George Spelvin wrote:
> >> - Ted, Andy Lutorminski and I will try to figure out a construction of
> >> get_random_long() that we all like.
We don't have to find the most optimal solution right away; we can
approach this incrementally, after all.
So long as we replace get_random_{long,int}() with something which is
(a) strictly better in terms of security given today's use of MD5, and
(b) which is strictly *faster* than the current construction on 32-bit
and 64-bit systems, we can do that, and can try to make it be faster
while maintaining some minimum level of security which is sufficient
for all current users of get_random_{long,int}() and which can be
clearly artificulated for future users of get_random_{long,int}().
The main worry at this point I have is benchmarking siphash on a
32-bit system. It may be that simply batching the chacha20 output so
that we're using the urandom construction more efficiently is the
better way to go, since that *does* meet the criteron of strictly more
secure and strictly faster than the current MD5 solution. I'm open to
using siphash, but I want to see the the 32-bit numbers first.
As far as half-siphash is concerned, it occurs to me that the main
problem will be those users who need to guarantee that output can't be
guessed over a long period of time. For example, if you have a
long-running process, then the output needs to remain unguessable over
potentially months or years, or else you might be weakening the ASLR
protections. If on the other hand, the hash table or the process will
be going away in a matter of seconds or minutes, the requirements with
respect to cryptographic strength go down significantly.
Now, maybe this doesn't matter that much if we can guarantee (or make
assumptions) that the attacker doesn't have unlimited access the
output stream of get_random_{long,int}(), or if it's being used in an
anti-DOS use case where it ultimately only needs to be harder than
alternate ways of attacking the system.
Rekeying every five minutes doesn't necessarily help the with respect
to ASLR, but it might reduce the amount of the output stream that
would be available to the attacker in order to be able to attack the
get_random_{long,int}() generator, and it also reduces the value of
doing that attack to only compromising the ASLR for those processes
started within that five minute window.
Cheers,
- Ted
P.S. I'm using ASLR as an example use case, above; of course we will
need to make similar eximainations of the other uses of
get_random_{long,int}().
P.P.S. We might also want to think about potentially defining
get_random_{long,int}() to be unambiguously strong, and then creating
a get_weak_random_{long,int}() which on platforms where performance
might be a consideration, it uses a weaker algorithm perhaps with some
kind of rekeying interval.
WARNING: multiple messages have this Message-ID (diff)
From: "Theodore Ts'o" <tytso@mit.edu>
To: kernel-hardening@lists.openwall.com
Cc: Jason@zx2c4.com, linux@sciencehorizons.net, ak@linux.intel.com,
davem@davemloft.net, David.Laight@aculab.com, djb@cr.yp.to,
ebiggers3@gmail.com, hannes@stressinduktion.org,
jeanphilippe.aumasson@gmail.com, linux-crypto@vger.kernel.org,
linux-kernel@vger.kernel.org, luto@amacapital.net,
netdev@vger.kernel.org, tom@herbertland.com,
torvalds@linux-foundation.org, vegard.nossum@gmail.com
Subject: Re: [kernel-hardening] Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF
Date: Sat, 17 Dec 2016 10:41:52 -0500 [thread overview]
Message-ID: <20161217154152.5oug7mzb4tmfknwv@thunk.org> (raw)
In-Reply-To: <20161217021503.32767.qmail@ns.sciencehorizons.net>
On Fri, Dec 16, 2016 at 09:15:03PM -0500, George Spelvin wrote:
> >> - Ted, Andy Lutorminski and I will try to figure out a construction of
> >> get_random_long() that we all like.
We don't have to find the most optimal solution right away; we can
approach this incrementally, after all.
So long as we replace get_random_{long,int}() with something which is
(a) strictly better in terms of security given today's use of MD5, and
(b) which is strictly *faster* than the current construction on 32-bit
and 64-bit systems, we can do that, and can try to make it be faster
while maintaining some minimum level of security which is sufficient
for all current users of get_random_{long,int}() and which can be
clearly artificulated for future users of get_random_{long,int}().
The main worry at this point I have is benchmarking siphash on a
32-bit system. It may be that simply batching the chacha20 output so
that we're using the urandom construction more efficiently is the
better way to go, since that *does* meet the criteron of strictly more
secure and strictly faster than the current MD5 solution. I'm open to
using siphash, but I want to see the the 32-bit numbers first.
As far as half-siphash is concerned, it occurs to me that the main
problem will be those users who need to guarantee that output can't be
guessed over a long period of time. For example, if you have a
long-running process, then the output needs to remain unguessable over
potentially months or years, or else you might be weakening the ASLR
protections. If on the other hand, the hash table or the process will
be going away in a matter of seconds or minutes, the requirements with
respect to cryptographic strength go down significantly.
Now, maybe this doesn't matter that much if we can guarantee (or make
assumptions) that the attacker doesn't have unlimited access the
output stream of get_random_{long,int}(), or if it's being used in an
anti-DOS use case where it ultimately only needs to be harder than
alternate ways of attacking the system.
Rekeying every five minutes doesn't necessarily help the with respect
to ASLR, but it might reduce the amount of the output stream that
would be available to the attacker in order to be able to attack the
get_random_{long,int}() generator, and it also reduces the value of
doing that attack to only compromising the ASLR for those processes
started within that five minute window.
Cheers,
- Ted
P.S. I'm using ASLR as an example use case, above; of course we will
need to make similar eximainations of the other uses of
get_random_{long,int}().
P.P.S. We might also want to think about potentially defining
get_random_{long,int}() to be unambiguously strong, and then creating
a get_weak_random_{long,int}() which on platforms where performance
might be a consideration, it uses a weaker algorithm perhaps with some
kind of rekeying interval.
next prev parent reply other threads:[~2016-12-17 15:41 UTC|newest]
Thread overview: 181+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-15 20:29 [PATCH v5 0/4] The SipHash Patchset Jason A. Donenfeld
2016-12-15 20:29 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-15 20:30 ` [PATCH v5 1/4] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-15 22:42 ` George Spelvin
2016-12-15 22:42 ` [kernel-hardening] " George Spelvin
2016-12-15 23:00 ` Jean-Philippe Aumasson
2016-12-15 23:00 ` [kernel-hardening] " Jean-Philippe Aumasson
2016-12-15 23:28 ` George Spelvin
2016-12-15 23:28 ` [kernel-hardening] " George Spelvin
2016-12-16 17:06 ` David Laight
2016-12-16 17:06 ` [kernel-hardening] " David Laight
2016-12-16 17:06 ` David Laight
2016-12-16 17:09 ` Jason A. Donenfeld
2016-12-16 17:09 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 17:09 ` Jason A. Donenfeld
2016-12-16 3:46 ` George Spelvin
2016-12-16 3:46 ` [kernel-hardening] " George Spelvin
2016-12-16 8:08 ` Jean-Philippe Aumasson
2016-12-16 8:08 ` [kernel-hardening] " Jean-Philippe Aumasson
2016-12-16 12:39 ` Jason A. Donenfeld
2016-12-16 12:39 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 13:22 ` Jean-Philippe Aumasson
2016-12-16 13:22 ` [kernel-hardening] " Jean-Philippe Aumasson
2016-12-16 15:51 ` Jason A. Donenfeld
2016-12-16 15:51 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 17:36 ` George Spelvin
2016-12-16 17:36 ` [kernel-hardening] " George Spelvin
2016-12-16 18:00 ` Jason A. Donenfeld
2016-12-16 18:00 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 20:17 ` George Spelvin
2016-12-16 20:17 ` [kernel-hardening] " George Spelvin
2016-12-16 20:43 ` Theodore Ts'o
2016-12-16 20:43 ` [kernel-hardening] " Theodore Ts'o
2016-12-16 22:13 ` George Spelvin
2016-12-16 22:13 ` [kernel-hardening] " George Spelvin
2016-12-16 22:15 ` Andy Lutomirski
2016-12-16 22:15 ` [kernel-hardening] " Andy Lutomirski
2016-12-16 22:15 ` Andy Lutomirski
2016-12-16 22:18 ` Jason A. Donenfeld
2016-12-16 22:18 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 23:44 ` George Spelvin
2016-12-16 23:44 ` [kernel-hardening] " George Spelvin
2016-12-17 1:39 ` Jason A. Donenfeld
2016-12-17 1:39 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-17 2:15 ` George Spelvin
2016-12-17 2:15 ` [kernel-hardening] " George Spelvin
2016-12-17 15:41 ` Theodore Ts'o [this message]
2016-12-17 15:41 ` Theodore Ts'o
2016-12-17 16:14 ` Jeffrey Walton
2016-12-17 16:14 ` [kernel-hardening] " Jeffrey Walton
2016-12-19 17:21 ` Jason A. Donenfeld
2016-12-17 12:42 ` George Spelvin
2016-12-17 12:42 ` [kernel-hardening] " George Spelvin
2016-12-16 20:39 ` Jason A. Donenfeld
2016-12-16 20:39 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 19:47 ` Tom Herbert
2016-12-16 19:47 ` [kernel-hardening] " Tom Herbert
2016-12-16 20:41 ` George Spelvin
2016-12-16 20:41 ` [kernel-hardening] " George Spelvin
2016-12-16 20:57 ` Tom Herbert
2016-12-16 20:57 ` [kernel-hardening] " Tom Herbert
2016-12-16 20:44 ` Daniel Micay
2016-12-16 20:44 ` [kernel-hardening] " Daniel Micay
2016-12-16 21:09 ` Jason A. Donenfeld
2016-12-17 15:21 ` George Spelvin
2016-12-17 15:21 ` [kernel-hardening] " George Spelvin
2016-12-19 14:14 ` David Laight
2016-12-19 14:14 ` [kernel-hardening] " David Laight
2016-12-19 14:14 ` David Laight
2016-12-19 18:10 ` George Spelvin
2016-12-19 18:10 ` [kernel-hardening] " George Spelvin
2016-12-19 20:18 ` Jean-Philippe Aumasson
2016-12-19 20:18 ` [kernel-hardening] " Jean-Philippe Aumasson
2016-12-16 2:14 ` kbuild test robot
2016-12-16 2:14 ` [kernel-hardening] " kbuild test robot
2016-12-17 14:55 ` Jeffrey Walton
2016-12-17 14:55 ` [kernel-hardening] " Jeffrey Walton
2016-12-19 17:08 ` Jason A. Donenfeld
2016-12-19 17:08 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-19 17:19 ` Jean-Philippe Aumasson
2016-12-19 17:19 ` [kernel-hardening] " Jean-Philippe Aumasson
2016-12-15 20:30 ` [PATCH v5 2/4] siphash: add Nu{32,64} helpers Jason A. Donenfeld
2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 10:39 ` David Laight
2016-12-16 10:39 ` [kernel-hardening] " David Laight
2016-12-16 10:39 ` David Laight
2016-12-16 15:44 ` George Spelvin
2016-12-16 15:44 ` [kernel-hardening] " George Spelvin
2016-12-15 20:30 ` [PATCH v5 3/4] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld
2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 9:59 ` David Laight
2016-12-16 9:59 ` [kernel-hardening] " David Laight
2016-12-16 9:59 ` David Laight
2016-12-16 15:57 ` Jason A. Donenfeld
2016-12-16 15:57 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 15:57 ` Jason A. Donenfeld
2016-12-15 20:30 ` [PATCH v5 4/4] random: " Jason A. Donenfeld
2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 0/5] The SipHash Patchset Jason A. Donenfeld
2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 1/5] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 2/5] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld
2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 3/5] random: " Jason A. Donenfeld
2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 21:31 ` Andy Lutomirski
2016-12-16 21:31 ` [kernel-hardening] " Andy Lutomirski
2016-12-16 21:31 ` Andy Lutomirski
2016-12-16 3:03 ` [PATCH v6 4/5] md5: remove from lib and only live in crypto Jason A. Donenfeld
2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 5/5] syncookies: use SipHash in place of SHA1 Jason A. Donenfeld
2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 0/6] The SipHash Patchset Jason A. Donenfeld
2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 1/6] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 1:40 ` Stephen Hemminger
2016-12-22 1:40 ` [kernel-hardening] " Stephen Hemminger
2016-12-21 23:02 ` [PATCH v7 2/6] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld
2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 3/6] random: " Jason A. Donenfeld
2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-21 23:13 ` Jason A. Donenfeld
2016-12-21 23:13 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-21 23:42 ` Andy Lutomirski
2016-12-21 23:42 ` [kernel-hardening] " Andy Lutomirski
2016-12-21 23:42 ` Andy Lutomirski
2016-12-22 2:07 ` Hannes Frederic Sowa
2016-12-22 2:07 ` [kernel-hardening] " Hannes Frederic Sowa
2016-12-22 2:07 ` Hannes Frederic Sowa
2016-12-22 2:09 ` Andy Lutomirski
2016-12-22 2:09 ` [kernel-hardening] " Andy Lutomirski
2016-12-22 2:09 ` Andy Lutomirski
2016-12-22 2:49 ` Jason A. Donenfeld
2016-12-22 2:49 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 2:49 ` Jason A. Donenfeld
2016-12-22 3:12 ` Jason A. Donenfeld
2016-12-22 3:12 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 3:12 ` Jason A. Donenfeld
2016-12-22 5:41 ` Theodore Ts'o
2016-12-22 5:41 ` [kernel-hardening] " Theodore Ts'o
2016-12-22 6:03 ` Jason A. Donenfeld
2016-12-22 15:58 ` Theodore Ts'o
2016-12-22 15:58 ` [kernel-hardening] " Theodore Ts'o
2016-12-22 16:16 ` Jason A. Donenfeld
2016-12-22 16:16 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 16:30 ` Theodore Ts'o
2016-12-22 16:36 ` Jason A. Donenfeld
2016-12-22 12:47 ` Hannes Frederic Sowa
2016-12-22 12:47 ` [kernel-hardening] " Hannes Frederic Sowa
2016-12-22 13:10 ` Jason A. Donenfeld
2016-12-22 15:05 ` Hannes Frederic Sowa
2016-12-22 15:12 ` Jason A. Donenfeld
2016-12-22 15:29 ` Jason A. Donenfeld
2016-12-22 15:33 ` Hannes Frederic Sowa
2016-12-22 15:33 ` [kernel-hardening] " Hannes Frederic Sowa
2016-12-22 15:41 ` Jason A. Donenfeld
2016-12-22 15:51 ` Hannes Frederic Sowa
2016-12-22 15:51 ` [kernel-hardening] " Hannes Frederic Sowa
2016-12-22 15:53 ` Jason A. Donenfeld
2016-12-22 15:54 ` Theodore Ts'o
2016-12-22 15:54 ` [kernel-hardening] " Theodore Ts'o
2016-12-22 18:08 ` Hannes Frederic Sowa
2016-12-22 18:13 ` Jason A. Donenfeld
2016-12-22 18:13 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 19:50 ` Theodore Ts'o
2016-12-22 2:31 ` Jason A. Donenfeld
2016-12-22 2:31 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 2:31 ` Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 4/6] md5: remove from lib and only live in crypto Jason A. Donenfeld
2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 5/6] syncookies: use SipHash in place of SHA1 Jason A. Donenfeld
2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 6/6] siphash: implement HalfSipHash1-3 for hash tables Jason A. Donenfeld
2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 0:46 ` Andi Kleen
2016-12-22 0:46 ` [kernel-hardening] " Andi Kleen
2016-12-16 21:01 Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-16 21:15 ` Hannes Frederic Sowa
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161217154152.5oug7mzb4tmfknwv@thunk.org \
--to=tytso@mit.edu \
--cc=David.Laight@aculab.com \
--cc=Jason@zx2c4.com \
--cc=ak@linux.intel.com \
--cc=davem@davemloft.net \
--cc=djb@cr.yp.to \
--cc=ebiggers3@gmail.com \
--cc=hannes@stressinduktion.org \
--cc=jeanphilippe.aumasson@gmail.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@sciencehorizons.net \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=tom@herbertland.com \
--cc=torvalds@linux-foundation.org \
--cc=vegard.nossum@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.