From: Andy Lutomirski <luto@amacapital.net>
To: George Spelvin <linux@sciencehorizons.net>
Cc: "Ted Ts'o" <tytso@mit.edu>, Andi Kleen <ak@linux.intel.com>,
"David S. Miller" <davem@davemloft.net>,
David Laight <David.Laight@aculab.com>,
"D. J. Bernstein" <djb@cr.yp.to>,
Eric Biggers <ebiggers3@gmail.com>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>,
"kernel-hardening@lists.openwall.com"
<kernel-hardening@lists.openwall.com>,
Linux Crypto Mailing List <linux-crypto@vger.kernel.org>,
"linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
Network Development <netdev@vger.kernel.org>,
Tom Herbert <tom@herbertland.com>,
Linus Torvalds <torvalds@linux-foundation.org>,
Vegard Nossum <vegard.nossum@gmail.com>
Subject: Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF
Date: Fri, 16 Dec 2016 14:15:57 -0800 [thread overview]
Message-ID: <CALCETrVXgxy9fvznawtqf+NKda8G9-WpDuD=4_jMmOrx-E59Bw@mail.gmail.com> (raw)
In-Reply-To: <20161216221352.26899.qmail@ns.sciencehorizons.net>
On Fri, Dec 16, 2016 at 2:13 PM, George Spelvin
<linux@sciencehorizons.net> wrote:
>> What should we do with get_random_int() and get_random_long()? In
>> some cases it's being used in performance sensitive areas, and where
>> anti-DoS protection might be enough. In others, maybe not so much.
>
> This is tricky. The entire get_random_int() structure is an abuse of
> the hash function and will need to be thoroughly rethought to convert
> it to SipHash. Remember, SipHash's security goals are very different
> from MD5, so there's no obvious way to do the conversion.
>
> (It's *documented* as "not cryptographically secure", but we know
> where that goes.)
>
>> If we rekeyed the secret used by get_random_int() and
>> get_random_long() frequently (say, every minute or every 5 minutes),
>> would that be sufficient for current and future users of these
>> interfaces?
>
> Remembering that on "real" machines it's full SipHash, then I'd say that
> 64-bit security + rekeying seems reasonable.
>
> The question is, the idea has recently been floated to make hsiphash =
> SipHash-1-3 on 64-bit machines. Is *that* okay?
>
>
> The annoying thing about the currently proposed patch is that the *only*
> chaining is the returned value. What I'd *like* to do is the same
> pattern as we do with md5, and remember v[0..3] between invocations.
> But there's no partial SipHash primitive; we only get one word back.
>
> Even
> *chaining += ret = siphash_3u64(...)
>
> would be an improvement.
This is almost exactly what I suggested in my email on the other
thread from a few seconds ago :)
--Andy
next prev parent reply other threads:[~2016-12-16 22:16 UTC|newest]
Thread overview: 92+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-15 20:29 [PATCH v5 0/4] The SipHash Patchset Jason A. Donenfeld
2016-12-15 20:30 ` [PATCH v5 1/4] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-15 22:42 ` George Spelvin
2016-12-15 23:00 ` Jean-Philippe Aumasson
2016-12-15 23:28 ` George Spelvin
2016-12-16 17:06 ` David Laight
2016-12-16 17:09 ` Jason A. Donenfeld
2016-12-16 3:46 ` George Spelvin
2016-12-16 8:08 ` Jean-Philippe Aumasson
2016-12-16 12:39 ` Jason A. Donenfeld
2016-12-16 13:22 ` Jean-Philippe Aumasson
2016-12-16 15:51 ` Jason A. Donenfeld
2016-12-16 17:36 ` George Spelvin
2016-12-16 18:00 ` Jason A. Donenfeld
2016-12-16 20:17 ` George Spelvin
2016-12-16 20:43 ` Theodore Ts'o
2016-12-16 22:13 ` George Spelvin
2016-12-16 22:15 ` Andy Lutomirski [this message]
2016-12-16 22:18 ` Jason A. Donenfeld
2016-12-16 23:44 ` George Spelvin
2016-12-17 1:39 ` Jason A. Donenfeld
2016-12-17 2:15 ` George Spelvin
2016-12-17 15:41 ` Theodore Ts'o
2016-12-17 16:14 ` Jeffrey Walton
2016-12-19 17:21 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-17 12:42 ` George Spelvin
2016-12-16 20:39 ` Jason A. Donenfeld
2016-12-16 19:47 ` Tom Herbert
2016-12-16 20:41 ` George Spelvin
2016-12-16 20:57 ` Tom Herbert
2016-12-16 20:44 ` Daniel Micay
2016-12-16 21:09 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-17 15:21 ` George Spelvin
2016-12-19 14:14 ` David Laight
2016-12-19 18:10 ` George Spelvin
2016-12-19 20:18 ` Jean-Philippe Aumasson
2016-12-16 2:14 ` kbuild test robot
2016-12-17 14:55 ` Jeffrey Walton
2016-12-19 17:08 ` Jason A. Donenfeld
2016-12-19 17:19 ` Jean-Philippe Aumasson
2016-12-15 20:30 ` [PATCH v5 2/4] siphash: add Nu{32,64} helpers Jason A. Donenfeld
2016-12-16 10:39 ` David Laight
2016-12-16 15:44 ` George Spelvin
2016-12-15 20:30 ` [PATCH v5 3/4] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld
2016-12-16 9:59 ` David Laight
2016-12-16 15:57 ` Jason A. Donenfeld
2016-12-15 20:30 ` [PATCH v5 4/4] random: " Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 0/5] The SipHash Patchset Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 1/5] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 2/5] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 3/5] random: " Jason A. Donenfeld
2016-12-16 21:31 ` Andy Lutomirski
2016-12-16 3:03 ` [PATCH v6 4/5] md5: remove from lib and only live in crypto Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 5/5] syncookies: use SipHash in place of SHA1 Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 0/6] The SipHash Patchset Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 1/6] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-22 1:40 ` Stephen Hemminger
2016-12-21 23:02 ` [PATCH v7 2/6] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 3/6] random: " Jason A. Donenfeld
2016-12-21 23:13 ` Jason A. Donenfeld
2016-12-21 23:42 ` Andy Lutomirski
2016-12-22 2:07 ` Hannes Frederic Sowa
2016-12-22 2:09 ` Andy Lutomirski
2016-12-22 2:49 ` Jason A. Donenfeld
2016-12-22 3:12 ` Jason A. Donenfeld
2016-12-22 5:41 ` Theodore Ts'o
2016-12-22 6:03 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 15:58 ` Theodore Ts'o
2016-12-22 16:16 ` Jason A. Donenfeld
2016-12-22 16:30 ` [kernel-hardening] " Theodore Ts'o
2016-12-22 16:36 ` Jason A. Donenfeld
2016-12-22 12:47 ` Hannes Frederic Sowa
2016-12-22 13:10 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 15:05 ` Hannes Frederic Sowa
2016-12-22 15:12 ` Jason A. Donenfeld
2016-12-22 15:29 ` Jason A. Donenfeld
2016-12-22 15:33 ` Hannes Frederic Sowa
2016-12-22 15:41 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 15:51 ` Hannes Frederic Sowa
2016-12-22 15:53 ` [kernel-hardening] " Jason A. Donenfeld
2016-12-22 15:54 ` Theodore Ts'o
2016-12-22 18:08 ` [kernel-hardening] " Hannes Frederic Sowa
2016-12-22 18:13 ` Jason A. Donenfeld
2016-12-22 19:50 ` [kernel-hardening] " Theodore Ts'o
2016-12-22 2:31 ` Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 4/6] md5: remove from lib and only live in crypto Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 5/6] syncookies: use SipHash in place of SHA1 Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 6/6] siphash: implement HalfSipHash1-3 for hash tables Jason A. Donenfeld
2016-12-22 0:46 ` Andi Kleen
2016-12-16 20:43 [PATCH v5 1/4] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-16 20:49 Jason A. Donenfeld
2016-12-16 21:25 ` George Spelvin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CALCETrVXgxy9fvznawtqf+NKda8G9-WpDuD=4_jMmOrx-E59Bw@mail.gmail.com' \
--to=luto@amacapital.net \
--cc=David.Laight@aculab.com \
--cc=Jason@zx2c4.com \
--cc=ak@linux.intel.com \
--cc=davem@davemloft.net \
--cc=djb@cr.yp.to \
--cc=ebiggers3@gmail.com \
--cc=hannes@stressinduktion.org \
--cc=jeanphilippe.aumasson@gmail.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@sciencehorizons.net \
--cc=netdev@vger.kernel.org \
--cc=tom@herbertland.com \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=vegard.nossum@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).