From: Linus Torvalds <torvalds@linux-foundation.org>
To: George Spelvin <lkml@sdf.org>
Cc: Willy Tarreau <w@1wt.eu>, Netdev <netdev@vger.kernel.org>,
Amit Klein <aksecurity@gmail.com>,
Eric Dumazet <edumazet@google.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
Andrew Lutomirski <luto@kernel.org>,
Kees Cook <keescook@chromium.org>,
Thomas Gleixner <tglx@linutronix.de>,
Peter Zijlstra <peterz@infradead.org>,
"Theodore Ts'o" <tytso@mit.edu>,
Marc Plumb <lkml.mplumb@gmail.com>,
Stephen Hemminger <stephen@networkplumber.org>
Subject: Re: Flaw in "random32: update the net random state on interrupt and activity"
Date: Sat, 8 Aug 2020 19:07:29 -0700 [thread overview]
Message-ID: <CAHk-=wh00nvUwT-yck2gt3eKgix-mBZ4RcGe1WJ6C5VDW4e6zw@mail.gmail.com> (raw)
In-Reply-To: <20200808222752.GG27941@SDF.ORG>
On Sat, Aug 8, 2020 at 3:28 PM George Spelvin <lkml@sdf.org> wrote:
>
> It's not a theoretical hole, it's a very real one. Other than the cycles
> to do the brute-force part, it's not even all that complicated. The
> theory part is that it's impossible to patch.
We'll just disagree.
I'm really fed up with security holes that are brought on by crypto
people not being willing to just do reasonable things.
> *If* you do the stupid thing. WHICH YOU COULD JUST STOP DOING.
We're not feeding all the same bits to the /dev/random that we're
using to also update the pseudo-random state, so I think you're
overreacting. Think of it as "/dev/random gets a few bits, and prandom
gets a few other bits".
The fact that there is overlap between the bits is immaterial, when
other parts are disjoint. Fractonal bits of entropy and all that.
> The explain it to me. What is that actual *problem*? Nobody's described
> one, so I've been guessing. What is this *monumentally stupid* abuse of
> /dev/random allegedly fixing?
The problem is that the networking people really want unguessable
random state. There was a remote DNS spoofing poisoning attack because
the UDP ports ended up being guessable.
And that was actually reported to us back in early March.
Almost five months later, nothing had been done, all the discussion
bogged down about "theoretical randomness" rather than to actual
real-life security.
> If you're not an idiot, explain.
>
> Because right now you sound like one. There's a simple and easy fix which
> I've described and will get back to implementing as soon as I've finished
> yelling at you. What, FFS, is your objection to considering it?
By now, I'm not in the least interested in theoretical arguments.
I claim that the simple "mix in (different parts of) the TSC bits and
IP bits into _both_ the pseudo random state and the /dev/random state"
is going to make it hell on earth for anybody to ever find weaknesses
in either. Or if they do, they need to find and then exploit them
really quickly, because practically speaking, a few hundred times a
second you end up with noise that you cannot attack algorithmically
perturbing the state of both.
And I realize that drives you crazy. You _want_ to be able to analyze
the state to prove something about it. And that's absolutely the
opposite of what I want. I want the internal state (both prandom and
/dev/random) to simply not be amenable to analysis - simple because we
intentionally screw it up on interrupts. You can analyze it all you
want, knowing that in a few milliseconds you'll have to start over (at
least partially).
So even if you're the NSA, and it turns out that you have a magical
quantum computer that can break the best hash function crypto people
know about by just seeing a fairly small part stream of random
numbers, you'd better figure that state out quickly, because next
interrupt comes along, and we'll perturb it.
Or, say that you find something like meltdown, and can actually use
some side channel to read out the full state of our internal
/dev/random mixing buffers. ALL of it. No magic NSA quantum computer
required, just a side channel. Your "theoretical" are all complete and
utter shit in that case, if all we do is have the best possible secure
algorithm. Because the state is right there, and our
super-duper-secure algorithm is all open source, and your claims of
"this is unbreakable in theory" is just complet and utter nonsense.
This is why I claim the noise that you can't analyze is so important.
You see it as a weakness, because you see it as a "now I can't prove
certain things". I see it as exactly the opposite.
So to me, your whole "theoretical safety" argument is actually a huge
honking weakness.
Btw, you'll really hate what I did to /dev/random for initializing the
pool last year. Another case of "Christ, crypto people have screwed us
for decades, now I'm going to just fix it" situation.
Go do
git log --author=Torvalds --no-merges drivers/char/random.c
and you'll probably have a heart attack.
Linus
next prev parent reply other threads:[~2020-08-09 2:07 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-08 15:26 Flaw in "random32: update the net random state on interrupt and activity" George Spelvin
2020-08-08 17:07 ` Andy Lutomirski
2020-08-08 18:08 ` Willy Tarreau
2020-08-08 18:13 ` Linus Torvalds
2020-08-08 19:03 ` George Spelvin
2020-08-08 19:49 ` Andy Lutomirski
2020-08-08 21:29 ` George Spelvin
2020-08-08 17:44 ` Willy Tarreau
2020-08-08 18:19 ` Linus Torvalds
2020-08-08 18:53 ` Willy Tarreau
2020-08-08 20:47 ` George Spelvin
2020-08-08 20:52 ` Linus Torvalds
2020-08-08 22:27 ` George Spelvin
2020-08-09 2:07 ` Linus Torvalds [this message]
2020-08-11 16:01 ` Eric Dumazet
2020-08-08 19:18 ` Florian Westphal
2020-08-08 20:59 ` George Spelvin
2020-08-08 21:18 ` Willy Tarreau
2020-08-08 20:08 ` George Spelvin
2020-08-08 20:47 ` Linus Torvalds
2020-08-09 6:57 ` [DRAFT PATCH] random32: make prandom_u32() output unpredictable George Spelvin
2020-08-09 9:38 ` Willy Tarreau
2020-08-09 17:06 ` George Spelvin
2020-08-09 17:33 ` Willy Tarreau
2020-08-09 18:30 ` George Spelvin
2020-08-09 19:16 ` Willy Tarreau
2020-08-10 11:47 ` Willy Tarreau
2020-08-10 12:01 ` David Laight
2020-08-10 14:48 ` Willy Tarreau
2020-08-10 12:03 ` Florian Westphal
2020-08-10 14:53 ` Willy Tarreau
2020-08-10 16:31 ` Linus Torvalds
2020-08-10 16:58 ` Willy Tarreau
2020-08-10 17:45 ` Linus Torvalds
2020-08-10 18:01 ` Willy Tarreau
2020-08-10 21:04 ` Willy Tarreau
2020-08-11 5:26 ` George Spelvin
2020-08-11 5:37 ` Willy Tarreau
2020-08-11 3:47 ` George Spelvin
2020-08-11 3:58 ` Willy Tarreau
[not found] ` <fdbc7d7d-cba2-ef94-9bde-b3ccae0cfaac@gmail.com>
2020-08-09 21:10 ` Marc Plumb
2020-08-09 21:48 ` Linus Torvalds
2020-08-09 13:50 ` Randy Dunlap
[not found] ` <CANEQ_++a4YcwQQ2XhuguTono9=RxbSRVsMw08zLWBWJ_wxG2AQ@mail.gmail.com>
2020-08-09 16:08 ` George Spelvin
-- strict thread matches above, loose matches on Subject: below --
2020-08-12 6:03 Flaw in "random32: update the net random state on interrupt and activity" Sedat Dilek
2020-08-12 6:35 ` Sedat Dilek
2020-08-12 7:13 ` Sedat Dilek
2020-08-12 15:16 ` Eric Dumazet
2020-08-12 16:20 ` Sedat Dilek
2020-08-12 16:24 ` Eric Dumazet
2020-08-12 16:38 ` Sedat Dilek
2020-08-19 9:51 ` Sedat Dilek
2021-01-08 13:08 ` Sedat Dilek
2021-01-08 13:51 ` Sedat Dilek
2021-01-08 15:41 ` Eric Dumazet
2021-01-08 21:32 ` Sedat Dilek
[not found] <9f74230f-ba4d-2e19-5751-79dc2ab59877@gmail.com>
2020-08-05 0:57 ` Marc Plumb
2020-08-05 1:02 ` Linus Torvalds
2020-08-05 2:49 ` Willy Tarreau
2020-08-05 15:34 ` tytso
2020-08-05 16:06 ` Marc Plumb
2020-08-05 19:38 ` Willy Tarreau
2020-08-05 22:21 ` Marc Plumb
2020-08-06 6:30 ` Willy Tarreau
2020-08-06 17:18 ` Marc Plumb
2020-08-07 7:03 ` Willy Tarreau
2020-08-07 16:52 ` Marc Plumb
2020-08-07 17:43 ` Willy Tarreau
[not found] ` <C74EC3BC-F892-416F-A95C-4ACFC96EEECE@amacapital.net>
2020-08-07 18:04 ` Willy Tarreau
2020-08-07 18:10 ` Linus Torvalds
2020-08-07 19:08 ` Andy Lutomirski
2020-08-07 19:21 ` Linus Torvalds
2020-08-07 19:33 ` Andy Lutomirski
2020-08-07 19:56 ` Linus Torvalds
2020-08-07 20:16 ` Andy Lutomirski
2020-08-07 20:24 ` Linus Torvalds
2020-08-07 19:59 ` Marc Plumb
2020-08-07 22:19 ` Willy Tarreau
2020-08-07 22:45 ` Marc Plumb
2020-08-07 23:11 ` Willy Tarreau
2020-08-05 22:05 ` tytso
2020-08-05 23:03 ` Andy Lutomirski
2020-08-06 17:00 ` Marc Plumb
2020-08-05 16:24 ` Jason A. Donenfeld
2020-08-05 16:53 ` Willy Tarreau
2020-08-05 15:44 ` Marc Plumb
2020-08-05 16:39 ` Linus Torvalds
2020-08-05 23:49 ` Stephen Hemminger
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAHk-=wh00nvUwT-yck2gt3eKgix-mBZ4RcGe1WJ6C5VDW4e6zw@mail.gmail.com' \
--to=torvalds@linux-foundation.org \
--cc=Jason@zx2c4.com \
--cc=aksecurity@gmail.com \
--cc=edumazet@google.com \
--cc=keescook@chromium.org \
--cc=lkml.mplumb@gmail.com \
--cc=lkml@sdf.org \
--cc=luto@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=peterz@infradead.org \
--cc=stephen@networkplumber.org \
--cc=tglx@linutronix.de \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).