From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephen Hemminger Subject: Re: [PATCH v7 1/6] siphash: add cryptographically secure PRF Date: Wed, 21 Dec 2016 17:40:26 -0800 Message-ID: <20161221174026.1b25fd80@xeon-e3> References: <20161216030328.11602-1-Jason@zx2c4.com> <20161221230216.25341-1-Jason@zx2c4.com> <20161221230216.25341-2-Jason@zx2c4.com> Reply-To: kernel-hardening@lists.openwall.com Mime-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Cc: Netdev , kernel-hardening@lists.openwall.com, LKML , linux-crypto@vger.kernel.org, David Laight , Ted Tso , Hannes Frederic Sowa , edumazet@google.com, Linus Torvalds , Eric Biggers , Tom Herbert , ak@linux.intel.com, davem@davemloft.net, luto@amacapital.net, Jean-Philippe Aumasson , Eric Dumazet To: "Jason A. Donenfeld" Return-path: List-Post: List-Help: List-Unsubscribe: List-Subscribe: In-Reply-To: <20161221230216.25341-2-Jason@zx2c4.com> List-Id: linux-crypto.vger.kernel.org On Thu, 22 Dec 2016 00:02:11 +0100 "Jason A. Donenfeld" wrote: > SipHash is a 64-bit keyed hash function that is actually a > cryptographically secure PRF, like HMAC. Except SipHash is super fast, > and is meant to be used as a hashtable keyed lookup function, or as a > general PRF for short input use cases, such as sequence numbers or RNG > chaining. > > For the first usage: > > There are a variety of attacks known as "hashtable poisoning" in which an > attacker forms some data such that the hash of that data will be the > same, and then preceeds to fill up all entries of a hashbucket. This is > a realistic and well-known denial-of-service vector. Currently > hashtables use jhash, which is fast but not secure, and some kind of > rotating key scheme (or none at all, which isn't good). SipHash is meant > as a replacement for jhash in these cases. > > There are a modicum of places in the kernel that are vulnerable to > hashtable poisoning attacks, either via userspace vectors or network > vectors, and there's not a reliable mechanism inside the kernel at the > moment to fix it. The first step toward fixing these issues is actually > getting a secure primitive into the kernel for developers to use. Then > we can, bit by bit, port things over to it as deemed appropriate. > > While SipHash is extremely fast for a cryptographically secure function, > it is likely a bit slower than the insecure jhash, and so replacements > will be evaluated on a case-by-case basis based on whether or not the > difference in speed is negligible and whether or not the current jhash usage > poses a real security risk. > > For the second usage: > > A few places in the kernel are using MD5 or SHA1 for creating secure > sequence numbers, syn cookies, port numbers, or fast random numbers. > SipHash is a faster and more fitting, and more secure replacement for MD5 > in those situations. Replacing MD5 and SHA1 with SipHash for these uses is > obvious and straight-forward, and so is submitted along with this patch > series. There shouldn't be much of a debate over its efficacy. > > Dozens of languages are already using this internally for their hash > tables and PRFs. Some of the BSDs already use this in their kernels. > SipHash is a widely known high-speed solution to a widely known set of > problems, and it's time we catch-up. > > Signed-off-by: Jason A. Donenfeld > Cc: Jean-Philippe Aumasson > Cc: Linus Torvalds > Cc: Eric Biggers > Cc: David Laight > Cc: Eric Dumazet The networking tree (net-next) which is where you are submitting to is technically closed right now. From mboxrd@z Thu Jan 1 00:00:00 1970 Reply-To: kernel-hardening@lists.openwall.com Date: Wed, 21 Dec 2016 17:40:26 -0800 From: Stephen Hemminger Message-ID: <20161221174026.1b25fd80@xeon-e3> In-Reply-To: <20161221230216.25341-2-Jason@zx2c4.com> References: <20161216030328.11602-1-Jason@zx2c4.com> <20161221230216.25341-1-Jason@zx2c4.com> <20161221230216.25341-2-Jason@zx2c4.com> MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Subject: [kernel-hardening] Re: [PATCH v7 1/6] siphash: add cryptographically secure PRF To: "Jason A. Donenfeld" Cc: Netdev , kernel-hardening@lists.openwall.com, LKML , linux-crypto@vger.kernel.org, David Laight , Ted Tso , Hannes Frederic Sowa , edumazet@google.com, Linus Torvalds , Eric Biggers , Tom Herbert , ak@linux.intel.com, davem@davemloft.net, luto@amacapital.net, Jean-Philippe Aumasson , Eric Dumazet List-ID: On Thu, 22 Dec 2016 00:02:11 +0100 "Jason A. Donenfeld" wrote: > SipHash is a 64-bit keyed hash function that is actually a > cryptographically secure PRF, like HMAC. Except SipHash is super fast, > and is meant to be used as a hashtable keyed lookup function, or as a > general PRF for short input use cases, such as sequence numbers or RNG > chaining. > > For the first usage: > > There are a variety of attacks known as "hashtable poisoning" in which an > attacker forms some data such that the hash of that data will be the > same, and then preceeds to fill up all entries of a hashbucket. This is > a realistic and well-known denial-of-service vector. Currently > hashtables use jhash, which is fast but not secure, and some kind of > rotating key scheme (or none at all, which isn't good). SipHash is meant > as a replacement for jhash in these cases. > > There are a modicum of places in the kernel that are vulnerable to > hashtable poisoning attacks, either via userspace vectors or network > vectors, and there's not a reliable mechanism inside the kernel at the > moment to fix it. The first step toward fixing these issues is actually > getting a secure primitive into the kernel for developers to use. Then > we can, bit by bit, port things over to it as deemed appropriate. > > While SipHash is extremely fast for a cryptographically secure function, > it is likely a bit slower than the insecure jhash, and so replacements > will be evaluated on a case-by-case basis based on whether or not the > difference in speed is negligible and whether or not the current jhash usage > poses a real security risk. > > For the second usage: > > A few places in the kernel are using MD5 or SHA1 for creating secure > sequence numbers, syn cookies, port numbers, or fast random numbers. > SipHash is a faster and more fitting, and more secure replacement for MD5 > in those situations. Replacing MD5 and SHA1 with SipHash for these uses is > obvious and straight-forward, and so is submitted along with this patch > series. There shouldn't be much of a debate over its efficacy. > > Dozens of languages are already using this internally for their hash > tables and PRFs. Some of the BSDs already use this in their kernels. > SipHash is a widely known high-speed solution to a widely known set of > problems, and it's time we catch-up. > > Signed-off-by: Jason A. Donenfeld > Cc: Jean-Philippe Aumasson > Cc: Linus Torvalds > Cc: Eric Biggers > Cc: David Laight > Cc: Eric Dumazet The networking tree (net-next) which is where you are submitting to is technically closed right now.