All of lore.kernel.org
 help / color / mirror / Atom feed
* RFC random(4) We don't need no steenking ...
@ 2022-01-27  9:04 Sandy Harris
  2022-01-27 19:08 ` Eric Biggers
  0 siblings, 1 reply; 4+ messages in thread
From: Sandy Harris @ 2022-01-27  9:04 UTC (permalink / raw)
  To: Linux Crypto Mailing List, Ted Ts'o, Jason A. Donenfeld,
	Herbert Xu, John Denker

In normal usage of either a hash or a cipher, consistent results are
needed because we want the hash to be usable for authentication and
the cipher to be decryptable. We therefore require a standard
initialisation using known constants, macros to deal with endinanness
so different systems can get the same results, and sometimes locking
of the inputs to avoid having a hash give indeterminate results.

I would contend that in the context of random(4), none of the above
are desirable, except perhaps for the first initialisation at boot
time & even that should use random data rather than constants if
possible, Thereafter, the input pool, hash context & chacha context
should all be updated only with ^= or += so they cannot lose entropy.
Nor should any code here lock any structure it only reads or
manipulate data for endianness.

Current code in extract_buf() declares a local struct blake2s_state,
calls blake2s_init() which uses initialisation constants, and moves
data into the chacha state with memcpy(). As I see it, those are
mistakes.

I'm inclined to think we need only one 512-bit context[]; use chacha
on it to generate output and hash directly into it to rekey. I have
not yet worked out the details or all the implications.

Other opinions?

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: RFC random(4) We don't need no steenking ...
  2022-01-27  9:04 RFC random(4) We don't need no steenking Sandy Harris
@ 2022-01-27 19:08 ` Eric Biggers
  2022-01-28  0:12   ` Sandy Harris
  0 siblings, 1 reply; 4+ messages in thread
From: Eric Biggers @ 2022-01-27 19:08 UTC (permalink / raw)
  To: Sandy Harris
  Cc: Linux Crypto Mailing List, Ted Ts'o, Jason A. Donenfeld,
	Herbert Xu, John Denker

On Thu, Jan 27, 2022 at 05:04:07PM +0800, Sandy Harris wrote:
> Current code in extract_buf() declares a local struct blake2s_state,
> calls blake2s_init() which uses initialisation constants

Which is good, because BLAKE2s is defined to use certain constants.  If
different constants were used, then it wouldn't be BLAKE2s anymore, but rather
some homebrew crypto with unknown security properties (like the old "SHA-1" that
wasn't really SHA-1).

> and moves data into the chacha state with memcpy().

It's actually XOR'd in.  Please take a closer look at crng_reseed().

- Eric

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: RFC random(4) We don't need no steenking ...
  2022-01-27 19:08 ` Eric Biggers
@ 2022-01-28  0:12   ` Sandy Harris
  2022-01-28  0:39     ` Jason A. Donenfeld
  0 siblings, 1 reply; 4+ messages in thread
From: Sandy Harris @ 2022-01-28  0:12 UTC (permalink / raw)
  To: Eric Biggers
  Cc: Linux Crypto Mailing List, Ted Ts'o, Jason A. Donenfeld,
	Herbert Xu, John Denker

Eric Biggers <ebiggers@kernel.org> wrote:

> On Thu, Jan 27, 2022 at 05:04:07PM +0800, Sandy Harris wrote:
> > Current code in extract_buf() declares a local struct blake2s_state,
> > calls blake2s_init() which uses initialisation constants
>
> Which is good, because BLAKE2s is defined to use certain constants.  If
> different constants were used, then it wouldn't be BLAKE2s anymore, but rather
> some homebrew crypto with unknown security properties (like the old "SHA-1" that
> wasn't really SHA-1).

That's a reasonable argument & something very similar applies to
chacha usage. I do not think it holds water, though, since we
would still use the blake & chacha transforms. Even in blake,
every iteration except the first applies the transform to
arbitrary somewhat random data.

> > and moves data into the chacha state with memcpy().
>
> It's actually XOR'd in.  Please take a closer look at crng_reseed().

You are correct.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: RFC random(4) We don't need no steenking ...
  2022-01-28  0:12   ` Sandy Harris
@ 2022-01-28  0:39     ` Jason A. Donenfeld
  0 siblings, 0 replies; 4+ messages in thread
From: Jason A. Donenfeld @ 2022-01-28  0:39 UTC (permalink / raw)
  To: Sandy Harris
  Cc: Eric Biggers, Linux Crypto Mailing List, Ted Ts'o,
	Herbert Xu, John Denker

On 1/28/22, Sandy Harris <sandyinchina@gmail.com> wrote:
>
> Even in blake,
> every iteration except the first applies the transform to
> arbitrary somewhat random data.

No. The compression function uses the IV always, to break potential symmetries.

If you have a concrete idea, please just send a patch with good argumentation.

^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-01-28  0:39 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-27  9:04 RFC random(4) We don't need no steenking Sandy Harris
2022-01-27 19:08 ` Eric Biggers
2022-01-28  0:12   ` Sandy Harris
2022-01-28  0:39     ` Jason A. Donenfeld

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.