From: Matt Mackall <mpm@selenic.com>
To: Theodore Tso <tytso@mit.edu>, Kyle Moffett <mrmacman_g4@mac.com>,
Andrew Morton <akpm@osdl.org>,
linux-kernel@vger.kernel.org, davem@davemloft.net
Subject: Re: [PATCH 7/14] random: Remove SA_SAMPLE_RANDOM from network drivers
Date: Sat, 6 May 2006 15:33:04 -0500 [thread overview]
Message-ID: <20060506203304.GF15445@waste.org> (raw)
In-Reply-To: <20060506180551.GB22474@thunk.org>
On Sat, May 06, 2006 at 02:05:51PM -0400, Theodore Tso wrote:
> On Sat, May 06, 2006 at 11:48:08AM -0500, Matt Mackall wrote:
> > Case 3:
> > Hash function broken, entropy accounting is over-optimistic:
> > /dev/urandom and /dev/random are both equally insecure because both
> > are revealing more internal entropy than they're collecting. So you
> > should just use /dev/urandom because at least it doesn't block.
> >
> > Putting aside all the practical issue of what exactly is entropy and
> > what decent entropy sources are, we should be able to agree on this
> > much. And this basically says that if you do your entropy accounting
> > badly, you throw the baby out with the bathwater.
>
> Agreed, but I'd an additional point of nuance; this assumes that the
> attacker (call him Boris for the sake of argument) can actually gain
> access to enough /dev/random or /dev/urandom outputs, and be
> knowledgable about all other calls to /dev/random and exactly when
> they happen (since entropy extractions cause the TSC to be mixed into
> the pool) so Boris can can actually determine the contents of the
> pool.
Yes, that's assumed. Because otherwise /dev/urandom would be
sufficient in all cases.
> Note that simply "breaking" a cryptographic hash, in the sense
> of finding two input values that collide to the same output value,
> does not mean that the hash has been sufficiently analyzed that it
> would be possible to accomplish this feat.
I'm not talking about any existing attacks, I'm talking about what
would theoretically be possible were a first preimage attack on our
hash to become practical.
> Does this mean we should __depend__ on this? No, we should always do
> the best job that we can. But it's also fair to say that even if the
> hash function is "broken", that the results are not automatically
> going to be catastrophic. If the attacker can't get their hands on
> enough of an output stream from /dev/random, then it's not likely to
> do much. For an attacker who only has network access, this could be
> quite difficult.
All agreed. But that applies equally to /dev/urandom. The only thing that
distinguishes the two is entropy accounting and entropy accounting
only makes a difference if it's conservative.
I am _not_ arguing that any of this is practical. I'm arguing that
it's completely beside the point.
> > But network traffic should be _assumed_ to be observable to some
> > degree. Everything else in network security makes the assumption that
> > traffic is completely snoopable. By contrast, we assume people can't
> > see us type our passwords[1]. So while our entropy estimator assumes
> > observability == 0, for the network case, 0 < observability <= 1. And
> > if it's greater than what our entropy estimator assumes, our entropy
> > estimates are now too optimistic and /dev/random security degrades to
> > that of /dev/urandom.
>
> The timing of network arrivals is observable to *some* degree. Of
> course, so is the timing from block I/O interrupts.
That's a whole 'nother topic we can tackle separately.
> For network traffic, again, it depends on your threat model.
Here's a threat model: I remotely break into your LAN and 0wn insecure
Windows box X that's one switch jump away from the web server Y that
processes your credit card transactions. I use standard techniques to
kick the switch into broadcast mode so I can see all its traffic or
maybe I break into the switch itself and temporarily isolate Y from
the rest of the world so that only X can talk to it. I'm still in
Russia, but I might as well be in the same room.
> That's why I think it should be configurable. If you don't have a
> real hardware number generator, maybe blocking would be preferable to
> not having good entropy. But in other circumstances, what people need
> is the best possible randomness they can get, and their security is
> not enhanced by simply taking it away from them altogether. That
> makes about as much sense as GNOME making its applications "easier to
> use" by removing functionality (to quote Linus).
Again, I think it's perfectly reasonable to sample from all sorts of
sources. All my issues are about the entropy accounting.
> > Yes, this is all strictly theoretical. But the usefulness of
> > /dev/random is exactly as theoretical. So if you use /dev/random for
> > it's theoretical advantages (and why else would you?), this defeats
> > that.
>
> This becomes a philosophical arugment. Yes, we should strive for as
> much theoretical perfection as possible. But at the same time, we
> need to live in the real world, and adding network entropy which can
> defeat the bored high school student in Russia using some black hat
> toolkit they downloaded of the internet is useful --- even if it can't
> defeat the NSA/FBI agent who can perform a black bag job and place a
> monitoring device on your internal ethernet segment.
No thoughts on scaling back our entropy estimates?
--
Mathematics is the supreme nostalgia of our time.
next prev parent reply other threads:[~2006-05-06 20:37 UTC|newest]
Thread overview: 60+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-05-05 16:42 [PATCH 1/14] random: Remove SA_SAMPLE_RANDOM from floppy driver Matt Mackall
2006-05-05 16:42 ` [PATCH 6/14] random: Remove redundant SA_SAMPLE_RANDOM from touchscreen drivers Matt Mackall
2006-05-05 16:42 ` [PATCH 4/14] random: Change cpqarray to use add_disk_randomness Matt Mackall
2006-05-05 16:42 ` [PATCH 2/14] random: Remove redundant SA_SAMPLE_RANDOM from NinjaSCSI Matt Mackall
2006-05-05 16:42 ` [PATCH 3/14] random: Make CCISS use add_disk_randomness Matt Mackall
2006-05-05 16:42 ` [PATCH 5/14] random: Remove bogus SA_SAMPLE_RANDOM from at91 compact flash driver Matt Mackall
2006-05-05 16:42 ` [PATCH 8/14] random: Remove SA_SAMPLE_RANDOM from USB gadget drivers Matt Mackall
2006-05-06 11:07 ` Denis Vlasenko
2006-05-06 18:16 ` David Brownell
2006-05-06 18:31 ` Matt Mackall
2006-05-05 16:42 ` [PATCH 7/14] random: Remove SA_SAMPLE_RANDOM from network drivers Matt Mackall
2006-05-05 17:13 ` Kyle Moffett
2006-05-05 17:24 ` Matt Mackall
2006-05-05 19:11 ` Theodore Tso
2006-05-05 20:30 ` Stephen Hemminger
2006-05-05 20:34 ` Matt Mackall
2006-05-06 11:55 ` Theodore Tso
2006-05-06 16:48 ` Matt Mackall
2006-05-06 17:29 ` Bernd Eckenfels
2006-05-06 18:05 ` Theodore Tso
2006-05-06 20:33 ` Matt Mackall [this message]
2006-05-07 0:17 ` David S. Miller
2006-05-07 1:22 ` Theodore Tso
2006-05-07 5:07 ` Matt Mackall
2006-05-08 21:58 ` Sami Farin
2006-05-24 22:47 ` Marcin Dalecki
2006-05-25 0:08 ` Theodore Tso
2006-05-31 19:29 ` Bill Davidsen
2006-05-07 0:08 ` David S. Miller
2006-05-07 4:59 ` Matt Mackall
2006-05-07 5:46 ` David S. Miller
2006-05-07 16:31 ` Matt Mackall
2006-05-07 13:13 ` Thiago Galesi
2006-05-07 16:00 ` Matt Mackall
2006-05-07 17:00 ` Thiago Galesi
2006-05-08 0:13 ` Theodore Tso
2006-05-08 2:55 ` Matt Mackall
2006-05-08 6:26 ` Pavel Machek
2006-05-08 7:07 ` David S. Miller
2006-05-08 14:05 ` Matt Mackall
2006-05-08 17:21 ` Pavel Machek
2006-05-08 17:27 ` Matt Mackall
2006-05-09 11:23 ` Pavel Machek
2006-05-11 10:05 ` Ph. Marek
2006-05-24 22:35 ` Marcin Dalecki
2006-05-05 21:10 ` David S. Miller
2006-05-05 23:03 ` Matt Mackall
2006-05-05 23:19 ` David S. Miller
2006-05-06 14:08 ` Folkert van Heusden
2006-05-06 15:19 ` Lee Revell
2006-05-07 10:35 ` Folkert van Heusden
2006-05-07 16:33 ` Matt Mackall
2006-05-05 16:42 ` [PATCH 9/14] random: Remove SA_SAMPLE_RANDOM from i2c drivers Matt Mackall
2006-05-05 16:42 ` [PATCH 10/14] random: Remove bogus SA_SAMPLE_RANDOM from mpc52xx serial driver Matt Mackall
2006-05-05 16:42 ` [PATCH 11/14] random: Remove UML usage of SA_SAMPLE_RANDOM Matt Mackall
2006-05-05 16:42 ` [PATCH 13/14] random: Remove SA_SAMPLE_RANDOM from IRQ fastpath Matt Mackall
2006-05-05 16:42 ` [PATCH 12/14] random: Remove not very useful SA_SAMPLE_RANDOM from lubbock Matt Mackall
2006-05-05 16:42 ` [PATCH 14/14] random: Remove add_interrupt_randomness Matt Mackall
2006-05-08 7:38 [PATCH 7/14] random: Remove SA_SAMPLE_RANDOM from network drivers linux
2006-05-12 6:09 ` linux
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20060506203304.GF15445@waste.org \
--to=mpm@selenic.com \
--cc=akpm@osdl.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mrmacman_g4@mac.com \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).