From: Stephen Hemminger <stephen@networkplumber.org>
To: "Jason A. Donenfeld" <Jason@zx2c4.com>
Cc: Netdev <netdev@vger.kernel.org>,
kernel-hardening@lists.openwall.com,
LKML <linux-kernel@vger.kernel.org>,
linux-crypto@vger.kernel.org,
David Laight <David.Laight@aculab.com>, Ted Tso <tytso@mit.edu>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
edumazet@google.com,
Linus Torvalds <torvalds@linux-foundation.org>,
Eric Biggers <ebiggers3@gmail.com>,
Tom Herbert <tom@herbertland.com>,
ak@linux.intel.com, davem@davemloft.net, luto@amacapital.net,
Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>,
Eric Dumazet <eric.dumazet@gmail.com>
Subject: Re: [PATCH v7 1/6] siphash: add cryptographically secure PRF
Date: Wed, 21 Dec 2016 17:40:26 -0800 [thread overview]
Message-ID: <20161221174026.1b25fd80@xeon-e3> (raw)
In-Reply-To: <20161221230216.25341-2-Jason@zx2c4.com>
On Thu, 22 Dec 2016 00:02:11 +0100
"Jason A. Donenfeld" <Jason@zx2c4.com> wrote:
> SipHash is a 64-bit keyed hash function that is actually a
> cryptographically secure PRF, like HMAC. Except SipHash is super fast,
> and is meant to be used as a hashtable keyed lookup function, or as a
> general PRF for short input use cases, such as sequence numbers or RNG
> chaining.
>
> For the first usage:
>
> There are a variety of attacks known as "hashtable poisoning" in which an
> attacker forms some data such that the hash of that data will be the
> same, and then preceeds to fill up all entries of a hashbucket. This is
> a realistic and well-known denial-of-service vector. Currently
> hashtables use jhash, which is fast but not secure, and some kind of
> rotating key scheme (or none at all, which isn't good). SipHash is meant
> as a replacement for jhash in these cases.
>
> There are a modicum of places in the kernel that are vulnerable to
> hashtable poisoning attacks, either via userspace vectors or network
> vectors, and there's not a reliable mechanism inside the kernel at the
> moment to fix it. The first step toward fixing these issues is actually
> getting a secure primitive into the kernel for developers to use. Then
> we can, bit by bit, port things over to it as deemed appropriate.
>
> While SipHash is extremely fast for a cryptographically secure function,
> it is likely a bit slower than the insecure jhash, and so replacements
> will be evaluated on a case-by-case basis based on whether or not the
> difference in speed is negligible and whether or not the current jhash usage
> poses a real security risk.
>
> For the second usage:
>
> A few places in the kernel are using MD5 or SHA1 for creating secure
> sequence numbers, syn cookies, port numbers, or fast random numbers.
> SipHash is a faster and more fitting, and more secure replacement for MD5
> in those situations. Replacing MD5 and SHA1 with SipHash for these uses is
> obvious and straight-forward, and so is submitted along with this patch
> series. There shouldn't be much of a debate over its efficacy.
>
> Dozens of languages are already using this internally for their hash
> tables and PRFs. Some of the BSDs already use this in their kernels.
> SipHash is a widely known high-speed solution to a widely known set of
> problems, and it's time we catch-up.
>
> Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
> Cc: Jean-Philippe Aumasson <jeanphilippe.aumasson@gmail.com>
> Cc: Linus Torvalds <torvalds@linux-foundation.org>
> Cc: Eric Biggers <ebiggers3@gmail.com>
> Cc: David Laight <David.Laight@aculab.com>
> Cc: Eric Dumazet <eric.dumazet@gmail.com>
The networking tree (net-next) which is where you are submitting to is technically
closed right now.
next prev parent reply other threads:[~2016-12-22 1:40 UTC|newest]
Thread overview: 56+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-15 20:29 [PATCH v5 0/4] The SipHash Patchset Jason A. Donenfeld
2016-12-15 20:30 ` [PATCH v5 1/4] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-15 22:42 ` George Spelvin
2016-12-16 2:14 ` kbuild test robot
2016-12-17 14:55 ` Jeffrey Walton
2016-12-19 17:08 ` Jason A. Donenfeld
2016-12-15 20:30 ` [PATCH v5 2/4] siphash: add Nu{32,64} helpers Jason A. Donenfeld
2016-12-16 10:39 ` David Laight
2016-12-16 15:44 ` George Spelvin
2016-12-15 20:30 ` [PATCH v5 3/4] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld
2016-12-16 9:59 ` David Laight
2016-12-16 15:57 ` Jason A. Donenfeld
2016-12-15 20:30 ` [PATCH v5 4/4] random: " Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 0/5] The SipHash Patchset Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 1/5] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 2/5] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 3/5] random: " Jason A. Donenfeld
2016-12-16 21:31 ` Andy Lutomirski
2016-12-16 3:03 ` [PATCH v6 4/5] md5: remove from lib and only live in crypto Jason A. Donenfeld
2016-12-16 3:03 ` [PATCH v6 5/5] syncookies: use SipHash in place of SHA1 Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 0/6] The SipHash Patchset Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 1/6] siphash: add cryptographically secure PRF Jason A. Donenfeld
2016-12-22 1:40 ` Stephen Hemminger [this message]
2016-12-21 23:02 ` [PATCH v7 2/6] secure_seq: use SipHash in place of MD5 Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 3/6] random: " Jason A. Donenfeld
2016-12-21 23:13 ` Jason A. Donenfeld
2016-12-21 23:42 ` Andy Lutomirski
2016-12-22 2:07 ` Hannes Frederic Sowa
2016-12-22 2:09 ` Andy Lutomirski
2016-12-22 2:49 ` Jason A. Donenfeld
2016-12-22 3:12 ` Jason A. Donenfeld
2016-12-22 5:41 ` [kernel-hardening] " Theodore Ts'o
2016-12-22 6:03 ` Jason A. Donenfeld
2016-12-22 15:58 ` Theodore Ts'o
2016-12-22 16:16 ` Jason A. Donenfeld
2016-12-22 16:30 ` Theodore Ts'o
2016-12-22 16:36 ` Jason A. Donenfeld
2016-12-22 12:47 ` Hannes Frederic Sowa
2016-12-22 13:10 ` Jason A. Donenfeld
2016-12-22 15:05 ` Hannes Frederic Sowa
2016-12-22 15:12 ` Jason A. Donenfeld
2016-12-22 15:29 ` Jason A. Donenfeld
2016-12-22 15:33 ` Hannes Frederic Sowa
2016-12-22 15:41 ` Jason A. Donenfeld
2016-12-22 15:51 ` Hannes Frederic Sowa
2016-12-22 15:53 ` Jason A. Donenfeld
2016-12-22 15:54 ` Theodore Ts'o
2016-12-22 18:08 ` Hannes Frederic Sowa
2016-12-22 18:13 ` Jason A. Donenfeld
2016-12-22 19:50 ` Theodore Ts'o
2016-12-22 2:31 ` Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 4/6] md5: remove from lib and only live in crypto Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 5/6] syncookies: use SipHash in place of SHA1 Jason A. Donenfeld
2016-12-21 23:02 ` [PATCH v7 6/6] siphash: implement HalfSipHash1-3 for hash tables Jason A. Donenfeld
2016-12-22 0:46 ` Andi Kleen
2016-12-22 1:42 [PATCH v7 1/6] siphash: add cryptographically secure PRF Jason A. Donenfeld
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161221174026.1b25fd80@xeon-e3 \
--to=stephen@networkplumber.org \
--cc=David.Laight@aculab.com \
--cc=Jason@zx2c4.com \
--cc=ak@linux.intel.com \
--cc=davem@davemloft.net \
--cc=ebiggers3@gmail.com \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=hannes@stressinduktion.org \
--cc=jeanphilippe.aumasson@gmail.com \
--cc=kernel-hardening@lists.openwall.com \
--cc=linux-crypto@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luto@amacapital.net \
--cc=netdev@vger.kernel.org \
--cc=tom@herbertland.com \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).