Received: by 2002:a6b:500f:0:0:0:0:0 with SMTP id e15csp6299909iob; Tue, 10 May 2022 15:18:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzJ/cpCuh2647yufUSX0nLC287MM9IVdMHPV8Uvpvb9k7cQzKwU/07um1iSbkhTHKlL/wTY X-Received: by 2002:a05:6a00:1590:b0:50d:f473:c346 with SMTP id u16-20020a056a00159000b0050df473c346mr22448986pfk.27.1652221129815; Tue, 10 May 2022 15:18:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1652221129; cv=none; d=google.com; s=arc-20160816; b=V8hN/77137bwy0HPctaFd0B86HeZvgi6v1dI0YQmecIuWIbL68b8tvjdfWD2SUsooy ItqICjK/kfcQ375DmYmadYyI8ckfna5c29REX466f+bODf8RG8VarCtO1tpiJGtFMdU5 XDG2HNuivgn3SiJzZwx0zYpvghLtHwktPv3uG8Z0JTrOO0EepGUl42Y429fWtsVWjGgZ B5K3EDBwTJGq1mATgXeW6iHjqxEjenIB/pf3HLBCtbha1CnPw8YCqW6DR8eKcTU7gXDI eWhu1C1GLVM/hMq8qk6bcwCFR2m37XppzLiObPAUXHYweGcgFMOHpP/pyM3hMkAh0Eot lXNQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:references :subject:to:from:date:automatic-legal-notices:mail-followup-to :message-id; bh=0T+4qlK+86nYucJqYg829wp9FxgwbjMZTx2idXE0LkA=; b=egOVAu6Bd/fp4EhZPdg3wTNC7skaeCX0J2NC4l8K/nP8g09fTfkj6CwrEl7ZiLIDPo l+ZdxEgp5bNDFuwn4QsR0OZP0dBXissKef+9hPTDQaENegJRviK0uefkCpawkDc2BogK ll+F1/D6ABA2AT2QQ3ZVvzSsVonioLJ6ZosjnsTb7WJOWBq7L4Yyeq95CCx/GMh1c0h8 0QSXq3NiLtqCDWdcoz7syuFicIf8b/8rMF6USqwB//iPl5SqTq/5Nu55yan18g8Axp71 H/tlFhBWVEwnxSe0acybWQdxkF0sM4QA+O7KcV5wI9uHl5AWX0dqTBHWc/GwCuhSbiY5 pQBA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=math.uic.edu Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id m4-20020a6545c4000000b003c642b43d4fsi685633pgr.520.2022.05.10.15.18.28; Tue, 10 May 2022 15:18:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-crypto-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-crypto-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=math.uic.edu Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236402AbiEJS6i (ORCPT + 99 others); Tue, 10 May 2022 14:58:38 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43602 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230290AbiEJS6h (ORCPT ); Tue, 10 May 2022 14:58:37 -0400 X-Greylist: delayed 401 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 10 May 2022 11:58:35 PDT Received: from salsa.cs.uic.edu (salsa.cs.uic.edu [131.193.32.108]) by lindbergh.monkeyblade.net (Postfix) with SMTP id 60C3B34BA9 for ; Tue, 10 May 2022 11:58:34 -0700 (PDT) Received: (qmail 26735 invoked by uid 1010); 10 May 2022 18:51:52 -0000 Received: from unknown (unknown) by unknown with QMTP; 10 May 2022 18:51:52 -0000 Received: (qmail 80608 invoked by uid 1000); 10 May 2022 18:51:23 -0000 Message-ID: <20220510185123.80607.qmail@cr.yp.to> Mail-Followup-To: Jason@zx2c4.com, dodis@cs.nyu.edu, tytso@mit.edu, nadiah@cs.ucsd.edu, noahsd@gmail.com, tessaro@cs.washington.edu, torvalds@linux-foundation.org, jeanphilippe.aumasson@gmail.com, jann@thejh.net, keescook@chromium.org, gregkh@linuxfoundation.org, peter@cryptojedi.org, linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Automatic-Legal-Notices: See https://cr.yp.to/mailcopyright.html. Date: Tue, 10 May 2022 20:51:23 +0200 From: "D. J. Bernstein" To: "Jason A. Donenfeld" , Yevgeniy Dodis , tytso , Nadia Heninger , Noah Stephens-Dawidowitz , Stefano Tessaro , torvalds@linux-foundation.org, jeanphilippe.aumasson@gmail.com, jann@thejh.net, keescook@chromium.org, gregkh@linuxfoundation.org, Peter Schwabe , linux-crypto@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: is "premature next" a real world rng concern, or just an academic exercise? References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="qId8Ue31mwkR5Glx" Content-Disposition: inline X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00, HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE,UNPARSEABLE_RELAY autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-crypto@vger.kernel.org --qId8Ue31mwkR5Glx Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Jason A. Donenfeld writes: > Right, VMs are super problematic, but for that, there's now this > "vmgenid" driver, where the hypervisor actually gives a 128-bit seed to > guests when they're resumed, so that we can immediately reseed, which > should pretty comprehensively handle that situation. Hmmm. If an application initializes its own RNG state from /dev/urandom, and is then cloned, and then generates an ECDSA nonce from the RNG state, and then uses this nonce to sign a message that's different across the clones, how is disaster averted? Given the goal of sending money to cryptographers, I'm pretty sure we want the answer to be a security-audit nightmare, so let me suggest the following idea. There's SIGWINCH to notify processes about window-size changes, so there should also be a signal for RNG changes, which should be called SIGRINCH, and there should be a different mechanism to address RNG output cloning inside the kernel, and there should be endless papers on Grinch Attacks, including papers that sort of prove security against Grinch Attacks, and deployment of software that's sort of protected against Grinch Attacks, and fear of the bad PR from abandoning anything labeled as protection, because, hey, _maybe_ the protection accomplishes something, and it's not as if anyone is going to be blamed for whatever damage is caused by the systems-level effect of the added complexity. ---D. J. Bernstein P.S. Yes, yes, I know the name "Grinch Attack" has been used before. --qId8Ue31mwkR5Glx Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAEBCAAdFiEE3QolqQXydru4e4ITsMANTjsOVFkFAmJ6tCsACgkQsMANTjsO VFk8WBAAzyMKEWbIPxsLZOwf6gPOb+FqsG2NNiI/RzpnGOWlnohjbpo+2r2pOpD/ dPBsToDrAuBs1ypA2rrcdbQ40gepN6vUJwK4TBVvBn1h3UM2hRrJ7JFA8mlA9RpT 1R8KXXnCbkhV92p6Y1YOzPP1mynkZ5XVhE87/03rJ3T0Sole8qv25tn75XZvKY6U p4HiYl7mbZuQ84OgUCmp7bYC7nKCKzgAb3nNXZCTotv7ecZGQgnlGC+ClOZz6+TB KwcDw9cF2LfJvP5qvNGmkVtMEtWEvPzmBMp6MCXJytBJ15vXaM0B5M0NDwbpM2I9 FtsH1/yzbnGQs2slSERlDv5PhrMjroydwC07YpRKMKY59uITV7tf8Q/2gcK5+C7z zPOkbKvXkjas+cqM4wjXDt/cOyBiUkW9RzMXG7ODldkh8oI8D30qyUOl8+IqxF6h d5SL9mJ7RLQ3LumSiat/B2HbHlODU4CJqubidyFgYvdGOyXhOOsTpfImNMuJoP5x zapVfrONCJ5497AZY24mr4rWI/Vp+pcge9lVxQjBnAPJrQx32SsL6szWKUkLL9lc H9jDaxcoJSjMR7GdBmgCEvVFHmFpLszoE4Cg/XPswQdYzjHikO9k41Ni2ge7jKf0 Mf2OP2wpKIpFxL/N+xdpEWFuywJt+bMnQXsChAIM8530UgDYjGs= =AY+X -----END PGP SIGNATURE----- --qId8Ue31mwkR5Glx--