From: Jamie Lokier <jamie@shareable.org>
To: David Wagner <daw@mozart.cs.berkeley.edu>
Cc: linux-kernel@vger.kernel.org
Subject: Re: [RFC][PATCH] Make cryptoapi non-optional?
Date: Wed, 13 Aug 2003 20:37:13 +0100 [thread overview]
Message-ID: <20030813193713.GF4405@mail.jlokier.co.uk> (raw)
In-Reply-To: <bh8qat$d7i$1@abraham.cs.berkeley.edu>
David Wagner wrote:
> >It may be that an attacker knows about a systemic problem with our
> >machine that we don't know about. For example the attacker might know
> >our pool state well enough shortly after boot time, to have a chance
> >at matching a dictionary of 2^32 hashes. The attacker might have had
> >a chance to read our disk, which reseeding the pool at boot time does
> >not protect against.
> >
> >With the right algorithm, we can protect against weaknesses of this kind.
>
> How? No matter what we do, the outputs are going to be a deterministic
> function of the state of the pool. If the attacker can guess the entire
> state of our pool (or narrow it down to 2^32 possibilities), we're screwed,
> no matter what. Right?
Right if the attacker can guess the entire pool state. If it's
narrowed to 2^32 possibilities, the question is, how hard do we make
it for the attacker to narrow it down further?
By hashing over fewer than all the internal state bits, we prevent the
attacker from narrowing down knowledge of the unhashed bits _from a
single hash_, under those conditions where it's possible for the
hashed bits to be a weak state while the unhashed bits may not be
determined by the hashed bits.
This can sometimes be true, theoretically, and sometimes it will not
be true.
If the attacker can read multiple hash results, though, they will
eventually have enough to guess the entire pool state anyway, if the
state is weak as a whole. Also, by hashing over fewer bits, some
kinds of partially-weak state, where a subset of bits is weak but
other bits are unguessable, become guessable where they would not be
with hashing over the whole state.
It's a convoluted enough mix of pros and cons that you can see why I
said, in my last reply to Matt & Ted, that hashing over fewer bits than in
the pool is of dubious value.
-- Jamie
next prev parent reply other threads:[~2003-08-13 19:37 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-08-09 7:44 [RFC][PATCH] Make cryptoapi non-optional? Matt Mackall
2003-08-09 8:04 ` David S. Miller
2003-08-09 14:05 ` Matt Mackall
2003-08-09 17:39 ` David S. Miller
2003-08-09 19:46 ` Matt Mackall
2003-08-09 20:17 ` David S. Miller
2003-08-10 8:15 ` Matt Mackall
2003-08-10 8:32 ` virt_to_offset() (Re: [RFC][PATCH] Make cryptoapi non-optional?) YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 8:30 ` David S. Miller
2003-08-10 9:02 ` virt_to_offset() YOSHIFUJI Hideaki / 吉藤英明
2003-08-11 18:21 ` virt_to_offset() David Mosberger
2003-08-12 2:46 ` virt_to_offset() David S. Miller
2003-08-10 9:05 ` virt_to_offset() (Re: [RFC][PATCH] Make cryptoapi non-optional?) Matt Mackall
2003-08-10 9:04 ` David S. Miller
2003-08-10 11:00 ` [PATCH 1/9] introduce virt_to_pagoff() YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:00 ` [PATCH 2/9] convert crypto to virt_to_pageoff() YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:05 ` [PATCH 3/9] convert net " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:07 ` [PATCH 4/9] convert drivers/block " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:09 ` [PATCH 5/9] convert drivers/ide " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:10 ` [PATCH 6/9] convert drivers/net " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:10 ` [PATCH 7/9] convert drivers/scsi " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:31 ` Christoph Hellwig
2003-08-10 11:51 ` David S. Miller
2003-08-10 12:03 ` YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 14:54 ` Christoph Hellwig
2003-08-10 14:51 ` Christoph Hellwig
2003-08-10 13:54 ` Russell King
2003-08-10 13:55 ` Russell King
2003-08-10 14:55 ` Christoph Hellwig
2003-08-11 5:21 ` David S. Miller
2003-08-10 11:10 ` [PATCH 8/9] convert drivers/usb " YOSHIFUJI Hideaki / 吉藤英明
2003-08-10 11:10 ` [PATCH 9/9] convert fs/jbd " YOSHIFUJI Hideaki / 吉藤英明
2003-08-11 2:15 ` [RFC][PATCH] Make cryptoapi non-optional? Jamie Lokier
2003-08-11 2:38 ` Matt Mackall
2003-08-11 4:54 ` David S. Miller
2003-08-11 5:17 ` Jamie Lokier
2003-08-13 5:01 ` [Numbers][PATCH] " Matt Mackall
2003-08-10 14:46 ` [RFC][PATCH] " James Morris
2003-08-09 14:33 ` Matt Mackall
2003-08-09 17:13 ` Jamie Lokier
2003-08-09 17:33 ` Matt Mackall
2003-08-10 13:18 ` James Morris
2003-08-10 17:45 ` Matt Mackall
2003-08-11 2:09 ` Jamie Lokier
2003-08-11 2:35 ` Matt Mackall
2003-08-11 4:59 ` Jamie Lokier
2003-08-11 5:04 ` Matt Mackall
2003-08-11 5:20 ` Jamie Lokier
2003-08-11 5:54 ` Matt Mackall
2003-08-11 6:24 ` Jamie Lokier
2003-08-11 4:58 ` David Wagner
2003-08-11 5:36 ` Jamie Lokier
2003-08-11 19:21 ` David Wagner
2003-08-13 19:37 ` Jamie Lokier [this message]
2003-08-13 3:52 ` Theodore Ts'o
2003-08-13 15:44 ` i810_rng.o on various Dell models Jim Carter
2003-08-13 16:15 ` Jeff Garzik
2003-08-13 18:43 ` Jamie Lokier
2003-08-13 18:36 ` [RFC][PATCH] Make cryptoapi non-optional? Jamie Lokier
2003-08-15 0:16 ` Network Card Entropy? was: " Mike Fedyk
2003-08-15 0:22 ` Robert Love
2003-08-13 3:20 ` Theodore Ts'o
2003-08-13 4:06 ` Matt Mackall
2003-08-14 16:53 ` Val Henson
2003-08-14 19:40 ` David Wagner
2003-08-14 20:07 ` Chris Friesen
2003-08-14 21:36 ` Jamie Lokier
2003-08-15 0:25 ` Val Henson
2003-08-15 11:47 ` Jamie Lokier
2003-08-15 0:17 ` Val Henson
2003-08-15 1:45 ` David Wagner
2003-08-15 2:21 ` Matt Mackall
2003-08-15 7:30 ` Andries Brouwer
2003-08-15 7:40 ` David S. Miller
2003-08-15 7:55 ` Andries Brouwer
2003-08-15 8:06 ` Måns Rullgård
2003-08-15 8:11 ` Nick Piggin
2003-08-15 15:11 ` Matt Mackall
2003-08-15 22:16 ` Jamie Lokier
2003-08-15 20:22 ` Val Henson
2003-08-16 6:27 ` David Wagner
2003-08-18 4:25 ` Val Henson
2003-08-15 8:09 ` Nick Piggin
2003-08-15 15:03 ` Matt Mackall
2003-08-15 17:04 ` Andries Brouwer
2003-08-15 22:05 ` Jamie Lokier
2003-08-15 22:02 ` Jamie Lokier
2003-08-15 12:48 ` Jamie Lokier
2003-08-15 22:34 ` Theodore Ts'o
2003-08-15 22:12 ` Theodore Ts'o
2003-08-15 23:35 ` James Morris
2003-08-16 15:51 ` Matt Mackall
2003-08-17 14:37 ` James Morris
2003-08-17 15:30 ` Matt Mackall
2003-08-15 23:55 ` Matt Mackall
2003-08-16 0:05 ` Andrew Morton
2003-08-16 0:58 ` Jamie Lokier
2003-08-16 4:57 ` Matt Mackall
2003-08-16 4:38 ` Matt Mackall
2003-08-16 5:03 ` Andrew Morton
2003-08-16 5:39 ` Matt Mackall
2003-08-18 6:43 ` Andreas Dilger
2003-08-18 6:55 ` David Lang
2003-08-18 11:59 ` Jamie Lokier
2003-08-18 12:11 ` Måns Rullgård
2003-08-18 13:33 ` Jamie Lokier
2003-08-18 17:03 ` David Lang
2003-08-18 17:51 ` Jamie Lokier
2003-08-22 4:28 ` David Wagner
2003-08-25 4:29 ` Jamie Lokier
2003-08-18 15:20 ` Matt Mackall
2003-08-18 3:23 ` Theodore Ts'o
2003-08-18 15:46 ` Matt Mackall
2003-08-10 2:07 ` Robert Love
2003-08-10 3:14 ` Matt Mackall
2003-08-10 3:49 ` David S. Miller
2003-08-10 4:01 ` Robert Love
2003-08-10 4:07 ` Robert Love
2003-08-16 20:40 Adam J. Richter
2003-08-17 4:28 ` Matt Mackall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20030813193713.GF4405@mail.jlokier.co.uk \
--to=jamie@shareable.org \
--cc=daw@mozart.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).