From: "Jason A. Donenfeld" <Jason@zx2c4.com>
To: dodis@cs.nyu.edu, tytso@mit.edu, nadiah@cs.ucsd.edu,
noahsd@gmail.com, tessaro@cs.washington.edu,
torvalds@linux-foundation.org, jeanphilippe.aumasson@gmail.com,
jann@thejh.net, keescook@chromium.org,
gregkh@linuxfoundation.org, peter@cryptojedi.org,
linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org,
"D. J. Bernstein" <djb@cr.yp.to>
Subject: Re: is "premature next" a real world rng concern, or just an academic exercise?
Date: Tue, 10 May 2022 22:09:04 +0200 [thread overview]
Message-ID: <YnrGYMyEL8qPMRGt@zx2c4.com> (raw)
In-Reply-To: <20220510185123.80607.qmail@cr.yp.to>
Hey Dan,
On Tue, May 10, 2022 at 08:51:23PM +0200, D. J. Bernstein wrote:
> Jason A. Donenfeld writes:
> > Right, VMs are super problematic, but for that, there's now this
> > "vmgenid" driver, where the hypervisor actually gives a 128-bit seed to
> > guests when they're resumed, so that we can immediately reseed, which
> > should pretty comprehensively handle that situation.
>
> Hmmm. If an application initializes its own RNG state from /dev/urandom,
> and is then cloned, and then generates an ECDSA nonce from the RNG
> state, and then uses this nonce to sign a message that's different
> across the clones, how is disaster averted?
Currently WireGuard will drop its ephemeral session key material from
the tx path, to prevent nonce use. This is because of an in-kernel
mechanism I added in 5.18, which is pretty minimal and non-invasive, and
came basically for free. CTRL+F for "vmgenid" in here for details:
https://www.zx2c4.com/projects/linux-rng-5.17-5.18/
For 5.19 (or at this point, more likely 5.20), there's a userspace
notifier in store, maybe, if I can figure out how to do it right.
There's a pretty bikesheddy thread here on what shape that interface
should take: https://lore.kernel.org/lkml/YnA5CUJKvqmXJxf2@zx2c4.com/
But basically there are some details about how an async interface should
work, and what the virtual hardware future, if any, looks like for a
memory mapped race-free polling interface. Plus some considerations on
how much we should care etc.
> Given the goal of sending money to cryptographers, I'm pretty sure we
> want the answer to be a security-audit nightmare, so let me suggest the
> following idea. There's SIGWINCH to notify processes about window-size
> changes, so there should also be a signal for RNG changes, which should
> be called SIGRINCH, and there should be a different mechanism to address
> RNG output cloning inside the kernel, and there should be endless papers
> on Grinch Attacks, including papers that sort of prove security against
> Grinch Attacks, and deployment of software that's sort of protected
> against Grinch Attacks, and fear of the bad PR from abandoning anything
> labeled as protection, because, hey, _maybe_ the protection accomplishes
> something, and it's not as if anyone is going to be blamed for whatever
> damage is caused by the systems-level effect of the added complexity.
I mean... you kid, but you're also kind of on point here. There are
about a thousand ways of doing this kind of notification that lead to
impossible-to-program-for paradigms that people will find necessary to
implement, and it'll be a nightmare if not done in a sufficiently slick
way. For the in-kernel thing WireGuard uses, it doesn't really matter
because the kernel is one big codebase so ergonomics can change need be.
But userspace is another challenge.
Jason
next prev parent reply other threads:[~2022-05-10 20:09 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-27 13:58 is "premature next" a real world rng concern, or just an academic exercise? Jason A. Donenfeld
2022-04-28 4:26 ` Nadia Heninger
2022-04-30 2:08 ` Sandy Harris
2022-05-01 0:49 ` tytso
2022-05-01 11:16 ` Jason A. Donenfeld
[not found] ` <CAMvzKsiA52Si=PzOJXYwGSA1WUz-1S0A8cpgRJWDzpMkfFbX+Q@mail.gmail.com>
2022-05-09 15:55 ` Yevgeniy Dodis
2022-05-10 15:21 ` Jason A. Donenfeld
2022-05-10 18:51 ` D. J. Bernstein
2022-05-10 20:09 ` Jason A. Donenfeld [this message]
2022-05-10 21:33 ` Simo Sorce
2022-05-10 22:50 ` Jason A. Donenfeld
2022-05-11 20:26 ` Thomas Ristenpart
2022-05-12 11:47 ` Jason A. Donenfeld
2022-05-13 6:19 ` Dominik Brodowski
2022-05-11 20:46 ` Pavel Machek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YnrGYMyEL8qPMRGt@zx2c4.com \
--to=jason@zx2c4.com \
--cc=djb@cr.yp.to \
--cc=dodis@cs.nyu.edu \
--cc=gregkh@linuxfoundation.org \
--cc=jann@thejh.net \
--cc=jeanphilippe.aumasson@gmail.com \
--cc=keescook@chromium.org \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nadiah@cs.ucsd.edu \
--cc=noahsd@gmail.com \
--cc=peter@cryptojedi.org \
--cc=tessaro@cs.washington.edu \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).