From: Willy Tarreau <w@1wt.eu>
To: tytso@mit.edu
Cc: Marc Plumb <lkml.mplumb@gmail.com>,
netdev@vger.kernel.org, aksecurity@gmail.com,
torvalds@linux-foundation.org, edumazet@google.com,
Jason@zx2c4.com, luto@kernel.org, keescook@chromium.org,
tglx@linutronix.de, peterz@infradead.org, stable@vger.kernel.org
Subject: Re: Flaw in "random32: update the net random state on interrupt and activity"
Date: Wed, 5 Aug 2020 18:53:04 +0200 [thread overview]
Message-ID: <20200805165304.GA17940@1wt.eu> (raw)
In-Reply-To: <20200805153432.GE497249@mit.edu>
Hi Ted,
On Wed, Aug 05, 2020 at 11:34:32AM -0400, tytso@mit.edu wrote:
> That being said, it certainly is a certificational / theoretical
> weakness, and if the bright boys and girls at Fort Meade did figure
> out a way to exploit this, they are very much unlikely to share it at
> an open Crypto conference. So replacing LFSR-based PRnG with
> something stronger which didn't release any bits from the fast_pool
> would certainly be desireable, and I look forward to seeing what Willy
> has in mind.
I'll post a proposal patch shortly about this, hopefully this week-end
(got diverted by work lately :-)). Just to give you a few pointers,
it's a small modification of MSWS. It passes the Practrand test suite
on 256 GB of data with zero warning (something that Tausworthe is
supposed to fail at).
By default, MSWS *does* leak its internal state, as Amit showed us (and
seeing that the paper on it suggests it's safe as-is for crypto use is
a bit shocking), but once slightly adjusted, it doesn't reveal its state
anymore and that would constitute a much more future-proof solution for
quite some time. Tausworthe was created something like 20 years ago or
so, hence it's not surprizing that it's a bit dated by now, but if we
can upgrade once every 2 decades I guess it's not that bad.
Cheers,
Willy
next prev parent reply other threads:[~2020-08-05 16:56 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <9f74230f-ba4d-2e19-5751-79dc2ab59877@gmail.com>
2020-08-05 0:57 ` Flaw in "random32: update the net random state on interrupt and activity" Marc Plumb
2020-08-05 1:02 ` Linus Torvalds
2020-08-05 2:49 ` Willy Tarreau
2020-08-05 15:34 ` tytso
2020-08-05 16:06 ` Marc Plumb
2020-08-05 19:38 ` Willy Tarreau
2020-08-05 22:21 ` Marc Plumb
2020-08-06 6:30 ` Willy Tarreau
2020-08-06 17:18 ` Marc Plumb
2020-08-07 7:03 ` Willy Tarreau
2020-08-07 16:52 ` Marc Plumb
2020-08-07 17:43 ` Willy Tarreau
[not found] ` <C74EC3BC-F892-416F-A95C-4ACFC96EEECE@amacapital.net>
2020-08-07 18:04 ` Willy Tarreau
2020-08-07 18:10 ` Linus Torvalds
2020-08-07 19:08 ` Andy Lutomirski
2020-08-07 19:21 ` Linus Torvalds
2020-08-07 19:33 ` Andy Lutomirski
2020-08-07 19:56 ` Linus Torvalds
2020-08-07 20:16 ` Andy Lutomirski
2020-08-07 20:24 ` Linus Torvalds
2020-08-07 19:59 ` Marc Plumb
2020-08-07 22:19 ` Willy Tarreau
2020-08-07 22:45 ` Marc Plumb
2020-08-07 23:11 ` Willy Tarreau
2020-08-05 22:05 ` tytso
2020-08-05 23:03 ` Andy Lutomirski
2020-08-06 17:00 ` Marc Plumb
2020-08-05 16:24 ` Jason A. Donenfeld
2020-08-05 16:53 ` Willy Tarreau [this message]
2020-08-05 15:44 ` Marc Plumb
2020-08-05 16:39 ` Linus Torvalds
2020-08-05 23:49 ` Stephen Hemminger
2020-08-08 15:26 George Spelvin
2020-08-08 17:07 ` Andy Lutomirski
2020-08-08 18:08 ` Willy Tarreau
2020-08-08 18:13 ` Linus Torvalds
2020-08-08 19:03 ` George Spelvin
2020-08-08 19:49 ` Andy Lutomirski
2020-08-08 21:29 ` George Spelvin
2020-08-08 17:44 ` Willy Tarreau
2020-08-08 18:19 ` Linus Torvalds
2020-08-08 18:53 ` Willy Tarreau
2020-08-08 20:47 ` George Spelvin
2020-08-08 20:52 ` Linus Torvalds
2020-08-08 22:27 ` George Spelvin
2020-08-09 2:07 ` Linus Torvalds
2020-08-11 16:01 ` Eric Dumazet
2020-08-08 19:18 ` Florian Westphal
2020-08-08 20:59 ` George Spelvin
2020-08-08 21:18 ` Willy Tarreau
2020-08-08 20:08 ` George Spelvin
2020-08-08 20:47 ` Linus Torvalds
2020-08-12 6:03 Sedat Dilek
2020-08-12 6:35 ` Sedat Dilek
2020-08-12 7:13 ` Sedat Dilek
2020-08-12 15:16 ` Eric Dumazet
2020-08-12 16:20 ` Sedat Dilek
2020-08-12 16:24 ` Eric Dumazet
2020-08-12 16:38 ` Sedat Dilek
2020-08-19 9:51 ` Sedat Dilek
2021-01-08 13:08 ` Sedat Dilek
2021-01-08 13:51 ` Sedat Dilek
2021-01-08 15:41 ` Eric Dumazet
2021-01-08 21:32 ` Sedat Dilek
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200805165304.GA17940@1wt.eu \
--to=w@1wt.eu \
--cc=Jason@zx2c4.com \
--cc=aksecurity@gmail.com \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=lkml.mplumb@gmail.com \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stable@vger.kernel.org \
--cc=tglx@linutronix.de \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).