Re: [PATCH v7 1/6] siphash: add cryptographically secure PRF

From: Stephen Hemminger
Date: Wed Dec 21 2016 - 20:40:39 EST

Next message: Jason A. Donenfeld: "Re: [PATCH v7 1/6] siphash: add cryptographically secure PRF"
Previous message: Lu Baolu: "Re: [PATCH 2/2] usb: host: xhci: Handle the right timeout command"
In reply to: Jason A. Donenfeld: "[PATCH v7 1/6] siphash: add cryptographically secure PRF"
Next in thread: Jason A. Donenfeld: "[PATCH v7 2/6] secure_seq: use SipHash in place of MD5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, 22 Dec 2016 00:02:11 +0100
"Jason A. Donenfeld" <Jason@xxxxxxxxx> wrote:

> SipHash is a 64-bit keyed hash function that is actually a
> cryptographically secure PRF, like HMAC. Except SipHash is super fast,
> and is meant to be used as a hashtable keyed lookup function, or as a
> general PRF for short input use cases, such as sequence numbers or RNG
> chaining.
>
> For the first usage:
>
> There are a variety of attacks known as "hashtable poisoning" in which an
> attacker forms some data such that the hash of that data will be the
> same, and then preceeds to fill up all entries of a hashbucket. This is
> a realistic and well-known denial-of-service vector. Currently
> hashtables use jhash, which is fast but not secure, and some kind of
> rotating key scheme (or none at all, which isn't good). SipHash is meant
> as a replacement for jhash in these cases.
>
> There are a modicum of places in the kernel that are vulnerable to
> hashtable poisoning attacks, either via userspace vectors or network
> vectors, and there's not a reliable mechanism inside the kernel at the
> moment to fix it. The first step toward fixing these issues is actually
> getting a secure primitive into the kernel for developers to use. Then
> we can, bit by bit, port things over to it as deemed appropriate.
>
> While SipHash is extremely fast for a cryptographically secure function,
> it is likely a bit slower than the insecure jhash, and so replacements
> will be evaluated on a case-by-case basis based on whether or not the
> difference in speed is negligible and whether or not the current jhash usage
> poses a real security risk.
>
> For the second usage:
>
> A few places in the kernel are using MD5 or SHA1 for creating secure
> sequence numbers, syn cookies, port numbers, or fast random numbers.
> SipHash is a faster and more fitting, and more secure replacement for MD5
> in those situations. Replacing MD5 and SHA1 with SipHash for these uses is
> obvious and straight-forward, and so is submitted along with this patch
> series. There shouldn't be much of a debate over its efficacy.
>
> Dozens of languages are already using this internally for their hash
> tables and PRFs. Some of the BSDs already use this in their kernels.
> SipHash is a widely known high-speed solution to a widely known set of
> problems, and it's time we catch-up.
>
> Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx>
> Cc: Jean-Philippe Aumasson <jeanphilippe.aumasson@xxxxxxxxx>
> Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>
> Cc: Eric Biggers <ebiggers3@xxxxxxxxx>
> Cc: David Laight <David.Laight@xxxxxxxxxx>
> Cc: Eric Dumazet <eric.dumazet@xxxxxxxxx>

The networking tree (net-next) which is where you are submitting to is technically
closed right now.

Next message: Jason A. Donenfeld: "Re: [PATCH v7 1/6] siphash: add cryptographically secure PRF"
Previous message: Lu Baolu: "Re: [PATCH 2/2] usb: host: xhci: Handle the right timeout command"
In reply to: Jason A. Donenfeld: "[PATCH v7 1/6] siphash: add cryptographically secure PRF"
Next in thread: Jason A. Donenfeld: "[PATCH v7 2/6] secure_seq: use SipHash in place of MD5"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]