From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephan Mueller Date: Wed, 20 Sep 2017 13:45:07 +0000 Subject: Re: [PATCH v6] security/keys: rewrite all of big_key crypto Message-Id: <2545404.XUVGGHhd0i@tauon.chronox.de> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit List-Id: References: <1593673.B5xods8kYN@tauon.chronox.de> In-Reply-To: To: "Jason A. Donenfeld" Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, kernel-hardening@lists.openwall.com, LKML , David Howells , Eric Biggers , Herbert Xu , Kirill Marinushkin , security@kernel.org, stable@vger.kernel.org Am Mittwoch, 20. September 2017, 12:52:21 CEST schrieb Jason A. Donenfeld: Hi Jason, > > This sounds incorrect to me. Choosing a fresh, random, one-time-use > 256-bit key and rolling with a zero nonce is a totally legitimate way > of using GCM. There's no possible reuse of the key stream this way. > However, on the off chance that you know what you're talking about, > could you outline the cryptographic attack you have in mind, or if > that's too difficult, simply link to the relevant paper on eprint? http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/Joux_comments.pdf Ciao Stephan From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751629AbdITNpO (ORCPT ); Wed, 20 Sep 2017 09:45:14 -0400 Received: from mail.eperm.de ([89.247.134.16]:34830 "EHLO mail.eperm.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751192AbdITNpM (ORCPT ); Wed, 20 Sep 2017 09:45:12 -0400 From: Stephan Mueller To: "Jason A. Donenfeld" Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, kernel-hardening@lists.openwall.com, LKML , David Howells , Eric Biggers , Herbert Xu , Kirill Marinushkin , security@kernel.org, stable@vger.kernel.org Subject: Re: [PATCH v6] security/keys: rewrite all of big_key crypto Date: Wed, 20 Sep 2017 15:45:07 +0200 Message-ID: <2545404.XUVGGHhd0i@tauon.chronox.de> In-Reply-To: References: <1593673.B5xods8kYN@tauon.chronox.de> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Am Mittwoch, 20. September 2017, 12:52:21 CEST schrieb Jason A. Donenfeld: Hi Jason, > > This sounds incorrect to me. Choosing a fresh, random, one-time-use > 256-bit key and rolling with a zero nonce is a totally legitimate way > of using GCM. There's no possible reuse of the key stream this way. > However, on the off chance that you know what you're talking about, > could you outline the cryptographic attack you have in mind, or if > that's too difficult, simply link to the relevant paper on eprint? http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/Joux_comments.pdf Ciao Stephan From mboxrd@z Thu Jan 1 00:00:00 1970 From: smueller@chronox.de (Stephan Mueller) Date: Wed, 20 Sep 2017 15:45:07 +0200 Subject: [PATCH v6] security/keys: rewrite all of big_key crypto In-Reply-To: References: <1593673.B5xods8kYN@tauon.chronox.de> Message-ID: <2545404.XUVGGHhd0i@tauon.chronox.de> To: linux-security-module@vger.kernel.org List-Id: linux-security-module.vger.kernel.org Am Mittwoch, 20. September 2017, 12:52:21 CEST schrieb Jason A. Donenfeld: Hi Jason, > > This sounds incorrect to me. Choosing a fresh, random, one-time-use > 256-bit key and rolling with a zero nonce is a totally legitimate way > of using GCM. There's no possible reuse of the key stream this way. > However, on the off chance that you know what you're talking about, > could you outline the cryptographic attack you have in mind, or if > that's too difficult, simply link to the relevant paper on eprint? http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/Joux_comments.pdf Ciao Stephan -- To unsubscribe from this list: send the line "unsubscribe linux-security-module" in the body of a message to majordomo at vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html From mboxrd@z Thu Jan 1 00:00:00 1970 From: Stephan Mueller Date: Wed, 20 Sep 2017 15:45:07 +0200 Message-ID: <2545404.XUVGGHhd0i@tauon.chronox.de> In-Reply-To: References: <1593673.B5xods8kYN@tauon.chronox.de> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Subject: [kernel-hardening] Re: [PATCH v6] security/keys: rewrite all of big_key crypto To: "Jason A. Donenfeld" Cc: linux-security-module@vger.kernel.org, keyrings@vger.kernel.org, kernel-hardening@lists.openwall.com, LKML , David Howells , Eric Biggers , Herbert Xu , Kirill Marinushkin , security@kernel.org, stable@vger.kernel.org List-ID: Am Mittwoch, 20. September 2017, 12:52:21 CEST schrieb Jason A. Donenfeld: Hi Jason, > > This sounds incorrect to me. Choosing a fresh, random, one-time-use > 256-bit key and rolling with a zero nonce is a totally legitimate way > of using GCM. There's no possible reuse of the key stream this way. > However, on the off chance that you know what you're talking about, > could you outline the cryptographic attack you have in mind, or if > that's too difficult, simply link to the relevant paper on eprint? http://csrc.nist.gov/groups/ST/toolkit/BCM/documents/Joux_comments.pdf Ciao Stephan