From: Jarod Wilson Subject: Re: [PATCH] random: add blocking facility to urandom Date: Mon, 12 Sep 2011 09:55:15 -0400 Message-ID: <4E6E0F43.6070307@redhat.com> References: <1314974248-1511-1-git-send-email-jarod@redhat.com> <1315464117.11199.51.camel@vespa.frost.loc> <20110908125234.GD13657@hmsreliant.think-freely.org> <201109080911.12921.sgrubb@redhat.com> <118704.1315706746@turing-police.cc.vt.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Cc: Sandy Harris , Steve Grubb , Neil Horman , Tomas Mraz , Sasha Levin , "Ted Ts'o" , linux-crypto@vger.kernel.org, Matt Mackall , Herbert Xu , Stephan Mueller , lkml To: Valdis.Kletnieks@vt.edu Return-path: Received: from mx1.redhat.com ([209.132.183.28]:42958 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754774Ab1ILN7l (ORCPT ); Mon, 12 Sep 2011 09:59:41 -0400 In-Reply-To: <118704.1315706746@turing-police.cc.vt.edu> Sender: linux-crypto-owner@vger.kernel.org List-ID: Valdis.Kletnieks@vt.edu wrote: > On Fri, 09 Sep 2011 10:21:13 +0800, Sandy Harris said: >> Barring a complete failure of SHA-1, an enemy who wants to >> infer the state from outputs needs astronomically large amounts >> of both data and effort. > > So let me get this straight - the movie-plot attack we're defending against is > somebody readin literally gigabytes to terabytes (though I suspect realistic > attacks will require peta/exabytes) of data from /dev/urandom, then performing > all the data reduction needed to infer the state of enough of the entropy pool > to infer all 160 bits of SHA-1 when only 80 bits are output... > > *and* doing it all without taking *any* action that adds any entropy to the > pool, and *also* ensuring that no other programs add any entropy via their > actions before the reading and data reduction completes. (Hint - if the > attacker can do this, you're already pwned and have bigger problems) > > /me thinks RedHat needs to start insisting on random drug testing for > their security experts at BSI. EIther that, or force BSI to share the > really good stuff they've been smoking, or they need to learn how huge > a number 2^160 *really* is.... Well, previously, we were looking at simply improving random entropy contributions, but quoting Matt Mackall from here: http://www.mail-archive.com/linux-crypto@vger.kernel.org/msg05799.html 'I recommend you do some Google searches for "ssl timing attack" and "aes timing attack" to get a feel for the kind of seemingly impossible things that can be done and thereby recalibrate your scale of the impossible.' :) Note: I'm not a crypto person. At all. I'm just the "lucky" guy who got tagged to work on trying to implement various suggestions to satisfy various government agencies. -- Jarod Wilson jarod@redhat.com