From: Jeffrey Walton <noloader@gmail.com> To: "Theodore Ts'o" <tytso@mit.edu>, kernel-hardening@lists.openwall.com, "Jason A. Donenfeld" <Jason@zx2c4.com>, George Spelvin <linux@sciencehorizons.net>, ak@linux.intel.com, davem@davemloft.net, David Laight <David.Laight@aculab.com>, "D. J. Bernstein" <djb@cr.yp.to>, Eric Biggers <ebiggers3@gmail.com>, Hannes Frederic Sowa <hannes@stressinduktion.org>, Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>, linux-crypto@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, luto@amacapital.net, Netdev <netdev@vger.kernel.org>, Tom Herbert <tom@herbertland.com>, Linus Torvalds <torvalds@linux-foundation.org>, Vegard Nossum <vegard.nossum@gmail.com> Subject: Re: Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF Date: Sat, 17 Dec 2016 11:14:47 -0500 [thread overview] Message-ID: <CAH8yC8kYHNo6T9-C3E0vyu7Mz-xGRLzLOifLFYsBMkoK92qmiA@mail.gmail.com> (raw) In-Reply-To: <20161217154152.5oug7mzb4tmfknwv@thunk.org> > As far as half-siphash is concerned, it occurs to me that the main > problem will be those users who need to guarantee that output can't be > guessed over a long period of time. For example, if you have a > long-running process, then the output needs to remain unguessable over > potentially months or years, or else you might be weakening the ASLR > protections. If on the other hand, the hash table or the process will > be going away in a matter of seconds or minutes, the requirements with > respect to cryptographic strength go down significantly. Perhaps SipHash-4-8 should be used instead of SipHash-2-4. I believe SipHash-4-8 is recommended for the security conscious who want to be more conservative in their security estimates. SipHash-4-8 does not add much more processing. If you are clocking SipHash-2-4 at 2.0 or 2.5 cpb, then SipHash-4-8 will run at 3.0 to 4.0. Both are well below MD5 times. (At least with the data sets I've tested). > Now, maybe this doesn't matter that much if we can guarantee (or make > assumptions) that the attacker doesn't have unlimited access the > output stream of get_random_{long,int}(), or if it's being used in an > anti-DOS use case where it ultimately only needs to be harder than > alternate ways of attacking the system. > > Rekeying every five minutes doesn't necessarily help the with respect > to ASLR, but it might reduce the amount of the output stream that > would be available to the attacker in order to be able to attack the > get_random_{long,int}() generator, and it also reduces the value of > doing that attack to only compromising the ASLR for those processes > started within that five minute window. Forgive my ignorance... I did not find reading on using the primitive in a PRNG. Does anyone know what Aumasson or Bernstein have to say? Aumasson's site does not seem to discuss the use case: https://www.google.com/search?q=siphash+rng+site%3A131002.net. (And their paper only mentions random-number once in a different context). Making the leap from internal hash tables and short-lived network packets to the rng case may leave something to be desired, especially if the bits get used in unanticipated ways, like creating long term private keys. Jeff
WARNING: multiple messages have this Message-ID (diff)
From: Jeffrey Walton <noloader@gmail.com> To: "Theodore Ts'o" <tytso@mit.edu>, kernel-hardening@lists.openwall.com, "Jason A. Donenfeld" <Jason@zx2c4.com>, George Spelvin <linux@sciencehorizons.net>, ak@linux.intel.com, davem@davemloft.net, David Laight <David.Laight@aculab.com>, "D. J. Bernstein" <djb@cr.yp.to>, Eric Biggers <ebiggers3@gmail.com>, Hannes Frederic Sowa <hannes@stressinduktion.org>, Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>, linux-crypto@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, luto@amacapital.net, Netdev <netdev@vger.kernel.org>, Tom Herbert <tom@herbertland.com>, Linus Torvalds <torvalds@linux-foundation.org>, Vegard Nossum <vegard.nossum@gmail.com> Subject: Re: [kernel-hardening] Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF Date: Sat, 17 Dec 2016 11:14:47 -0500 [thread overview] Message-ID: <CAH8yC8kYHNo6T9-C3E0vyu7Mz-xGRLzLOifLFYsBMkoK92qmiA@mail.gmail.com> (raw) In-Reply-To: <20161217154152.5oug7mzb4tmfknwv@thunk.org> > As far as half-siphash is concerned, it occurs to me that the main > problem will be those users who need to guarantee that output can't be > guessed over a long period of time. For example, if you have a > long-running process, then the output needs to remain unguessable over > potentially months or years, or else you might be weakening the ASLR > protections. If on the other hand, the hash table or the process will > be going away in a matter of seconds or minutes, the requirements with > respect to cryptographic strength go down significantly. Perhaps SipHash-4-8 should be used instead of SipHash-2-4. I believe SipHash-4-8 is recommended for the security conscious who want to be more conservative in their security estimates. SipHash-4-8 does not add much more processing. If you are clocking SipHash-2-4 at 2.0 or 2.5 cpb, then SipHash-4-8 will run at 3.0 to 4.0. Both are well below MD5 times. (At least with the data sets I've tested). > Now, maybe this doesn't matter that much if we can guarantee (or make > assumptions) that the attacker doesn't have unlimited access the > output stream of get_random_{long,int}(), or if it's being used in an > anti-DOS use case where it ultimately only needs to be harder than > alternate ways of attacking the system. > > Rekeying every five minutes doesn't necessarily help the with respect > to ASLR, but it might reduce the amount of the output stream that > would be available to the attacker in order to be able to attack the > get_random_{long,int}() generator, and it also reduces the value of > doing that attack to only compromising the ASLR for those processes > started within that five minute window. Forgive my ignorance... I did not find reading on using the primitive in a PRNG. Does anyone know what Aumasson or Bernstein have to say? Aumasson's site does not seem to discuss the use case: https://www.google.com/search?q=siphash+rng+site%3A131002.net. (And their paper only mentions random-number once in a different context). Making the leap from internal hash tables and short-lived network packets to the rng case may leave something to be desired, especially if the bits get used in unanticipated ways, like creating long term private keys. Jeff
next prev parent reply other threads:[~2016-12-17 16:14 UTC|newest] Thread overview: 181+ messages / expand[flat|nested] mbox.gz Atom feed top 2016-12-15 20:29 [PATCH v5 0/4] The SipHash Patchset Jason A. Donenfeld 2016-12-15 20:29 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-15 20:30 ` [PATCH v5 1/4] siphash: add cryptographically secure PRF Jason A. Donenfeld 2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-15 22:42 ` George Spelvin 2016-12-15 22:42 ` [kernel-hardening] " George Spelvin 2016-12-15 23:00 ` Jean-Philippe Aumasson 2016-12-15 23:00 ` [kernel-hardening] " Jean-Philippe Aumasson 2016-12-15 23:28 ` George Spelvin 2016-12-15 23:28 ` [kernel-hardening] " George Spelvin 2016-12-16 17:06 ` David Laight 2016-12-16 17:06 ` [kernel-hardening] " David Laight 2016-12-16 17:06 ` David Laight 2016-12-16 17:09 ` Jason A. Donenfeld 2016-12-16 17:09 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 17:09 ` Jason A. Donenfeld 2016-12-16 3:46 ` George Spelvin 2016-12-16 3:46 ` [kernel-hardening] " George Spelvin 2016-12-16 8:08 ` Jean-Philippe Aumasson 2016-12-16 8:08 ` [kernel-hardening] " Jean-Philippe Aumasson 2016-12-16 12:39 ` Jason A. Donenfeld 2016-12-16 12:39 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 13:22 ` Jean-Philippe Aumasson 2016-12-16 13:22 ` [kernel-hardening] " Jean-Philippe Aumasson 2016-12-16 15:51 ` Jason A. Donenfeld 2016-12-16 15:51 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 17:36 ` George Spelvin 2016-12-16 17:36 ` [kernel-hardening] " George Spelvin 2016-12-16 18:00 ` Jason A. Donenfeld 2016-12-16 18:00 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 20:17 ` George Spelvin 2016-12-16 20:17 ` [kernel-hardening] " George Spelvin 2016-12-16 20:43 ` Theodore Ts'o 2016-12-16 20:43 ` [kernel-hardening] " Theodore Ts'o 2016-12-16 22:13 ` George Spelvin 2016-12-16 22:13 ` [kernel-hardening] " George Spelvin 2016-12-16 22:15 ` Andy Lutomirski 2016-12-16 22:15 ` [kernel-hardening] " Andy Lutomirski 2016-12-16 22:15 ` Andy Lutomirski 2016-12-16 22:18 ` Jason A. Donenfeld 2016-12-16 22:18 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 23:44 ` George Spelvin 2016-12-16 23:44 ` [kernel-hardening] " George Spelvin 2016-12-17 1:39 ` Jason A. Donenfeld 2016-12-17 1:39 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-17 2:15 ` George Spelvin 2016-12-17 2:15 ` [kernel-hardening] " George Spelvin 2016-12-17 15:41 ` Theodore Ts'o 2016-12-17 15:41 ` [kernel-hardening] " Theodore Ts'o 2016-12-17 16:14 ` Jeffrey Walton [this message] 2016-12-17 16:14 ` Jeffrey Walton 2016-12-19 17:21 ` Jason A. Donenfeld 2016-12-17 12:42 ` George Spelvin 2016-12-17 12:42 ` [kernel-hardening] " George Spelvin 2016-12-16 20:39 ` Jason A. Donenfeld 2016-12-16 20:39 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 19:47 ` Tom Herbert 2016-12-16 19:47 ` [kernel-hardening] " Tom Herbert 2016-12-16 20:41 ` George Spelvin 2016-12-16 20:41 ` [kernel-hardening] " George Spelvin 2016-12-16 20:57 ` Tom Herbert 2016-12-16 20:57 ` [kernel-hardening] " Tom Herbert 2016-12-16 20:44 ` Daniel Micay 2016-12-16 20:44 ` [kernel-hardening] " Daniel Micay 2016-12-16 21:09 ` Jason A. Donenfeld 2016-12-17 15:21 ` George Spelvin 2016-12-17 15:21 ` [kernel-hardening] " George Spelvin 2016-12-19 14:14 ` David Laight 2016-12-19 14:14 ` [kernel-hardening] " David Laight 2016-12-19 14:14 ` David Laight 2016-12-19 18:10 ` George Spelvin 2016-12-19 18:10 ` [kernel-hardening] " George Spelvin 2016-12-19 20:18 ` Jean-Philippe Aumasson 2016-12-19 20:18 ` [kernel-hardening] " Jean-Philippe Aumasson 2016-12-16 2:14 ` kbuild test robot 2016-12-16 2:14 ` [kernel-hardening] " kbuild test robot 2016-12-17 14:55 ` Jeffrey Walton 2016-12-17 14:55 ` [kernel-hardening] " Jeffrey Walton 2016-12-19 17:08 ` Jason A. Donenfeld 2016-12-19 17:08 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-19 17:19 ` Jean-Philippe Aumasson 2016-12-19 17:19 ` [kernel-hardening] " Jean-Philippe Aumasson 2016-12-15 20:30 ` [PATCH v5 2/4] siphash: add Nu{32,64} helpers Jason A. Donenfeld 2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 10:39 ` David Laight 2016-12-16 10:39 ` [kernel-hardening] " David Laight 2016-12-16 10:39 ` David Laight 2016-12-16 15:44 ` George Spelvin 2016-12-16 15:44 ` [kernel-hardening] " George Spelvin 2016-12-15 20:30 ` [PATCH v5 3/4] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld 2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 9:59 ` David Laight 2016-12-16 9:59 ` [kernel-hardening] " David Laight 2016-12-16 9:59 ` David Laight 2016-12-16 15:57 ` Jason A. Donenfeld 2016-12-16 15:57 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 15:57 ` Jason A. Donenfeld 2016-12-15 20:30 ` [PATCH v5 4/4] random: " Jason A. Donenfeld 2016-12-15 20:30 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 3:03 ` [PATCH v6 0/5] The SipHash Patchset Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 3:03 ` [PATCH v6 1/5] siphash: add cryptographically secure PRF Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 3:03 ` [PATCH v6 2/5] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 3:03 ` [PATCH v6 3/5] random: " Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 21:31 ` Andy Lutomirski 2016-12-16 21:31 ` [kernel-hardening] " Andy Lutomirski 2016-12-16 21:31 ` Andy Lutomirski 2016-12-16 3:03 ` [PATCH v6 4/5] md5: remove from lib and only live in crypto Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-16 3:03 ` [PATCH v6 5/5] syncookies: use SipHash in place of SHA1 Jason A. Donenfeld 2016-12-16 3:03 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 0/6] The SipHash Patchset Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 1/6] siphash: add cryptographically secure PRF Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 1:40 ` Stephen Hemminger 2016-12-22 1:40 ` [kernel-hardening] " Stephen Hemminger 2016-12-21 23:02 ` [PATCH v7 2/6] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 3/6] random: " Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:13 ` Jason A. Donenfeld 2016-12-21 23:13 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:42 ` Andy Lutomirski 2016-12-21 23:42 ` [kernel-hardening] " Andy Lutomirski 2016-12-21 23:42 ` Andy Lutomirski 2016-12-22 2:07 ` Hannes Frederic Sowa 2016-12-22 2:07 ` [kernel-hardening] " Hannes Frederic Sowa 2016-12-22 2:07 ` Hannes Frederic Sowa 2016-12-22 2:09 ` Andy Lutomirski 2016-12-22 2:09 ` [kernel-hardening] " Andy Lutomirski 2016-12-22 2:09 ` Andy Lutomirski 2016-12-22 2:49 ` Jason A. Donenfeld 2016-12-22 2:49 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 2:49 ` Jason A. Donenfeld 2016-12-22 3:12 ` Jason A. Donenfeld 2016-12-22 3:12 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 3:12 ` Jason A. Donenfeld 2016-12-22 5:41 ` Theodore Ts'o 2016-12-22 5:41 ` [kernel-hardening] " Theodore Ts'o 2016-12-22 6:03 ` Jason A. Donenfeld 2016-12-22 15:58 ` Theodore Ts'o 2016-12-22 15:58 ` [kernel-hardening] " Theodore Ts'o 2016-12-22 16:16 ` Jason A. Donenfeld 2016-12-22 16:16 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 16:30 ` Theodore Ts'o 2016-12-22 16:36 ` Jason A. Donenfeld 2016-12-22 12:47 ` Hannes Frederic Sowa 2016-12-22 12:47 ` [kernel-hardening] " Hannes Frederic Sowa 2016-12-22 13:10 ` Jason A. Donenfeld 2016-12-22 15:05 ` Hannes Frederic Sowa 2016-12-22 15:12 ` Jason A. Donenfeld 2016-12-22 15:29 ` Jason A. Donenfeld 2016-12-22 15:33 ` Hannes Frederic Sowa 2016-12-22 15:33 ` [kernel-hardening] " Hannes Frederic Sowa 2016-12-22 15:41 ` Jason A. Donenfeld 2016-12-22 15:51 ` Hannes Frederic Sowa 2016-12-22 15:51 ` [kernel-hardening] " Hannes Frederic Sowa 2016-12-22 15:53 ` Jason A. Donenfeld 2016-12-22 15:54 ` Theodore Ts'o 2016-12-22 15:54 ` [kernel-hardening] " Theodore Ts'o 2016-12-22 18:08 ` Hannes Frederic Sowa 2016-12-22 18:13 ` Jason A. Donenfeld 2016-12-22 18:13 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 19:50 ` Theodore Ts'o 2016-12-22 2:31 ` Jason A. Donenfeld 2016-12-22 2:31 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 2:31 ` Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 4/6] md5: remove from lib and only live in crypto Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 5/6] syncookies: use SipHash in place of SHA1 Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-21 23:02 ` [PATCH v7 6/6] siphash: implement HalfSipHash1-3 for hash tables Jason A. Donenfeld 2016-12-21 23:02 ` [kernel-hardening] " Jason A. Donenfeld 2016-12-22 0:46 ` Andi Kleen 2016-12-22 0:46 ` [kernel-hardening] " Andi Kleen 2016-12-16 21:01 Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF Jason A. Donenfeld 2016-12-16 21:15 ` Hannes Frederic Sowa
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=CAH8yC8kYHNo6T9-C3E0vyu7Mz-xGRLzLOifLFYsBMkoK92qmiA@mail.gmail.com \ --to=noloader@gmail.com \ --cc=David.Laight@aculab.com \ --cc=Jason@zx2c4.com \ --cc=ak@linux.intel.com \ --cc=davem@davemloft.net \ --cc=djb@cr.yp.to \ --cc=ebiggers3@gmail.com \ --cc=hannes@stressinduktion.org \ --cc=jeanphilippe.aumasson@gmail.com \ --cc=kernel-hardening@lists.openwall.com \ --cc=linux-crypto@vger.kernel.org \ --cc=linux-kernel@vger.kernel.org \ --cc=linux@sciencehorizons.net \ --cc=luto@amacapital.net \ --cc=netdev@vger.kernel.org \ --cc=tom@herbertland.com \ --cc=torvalds@linux-foundation.org \ --cc=tytso@mit.edu \ --cc=vegard.nossum@gmail.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.