Re: [Security] [PATCH] proc: avoid information leaks to non-privileged processes
From: Matt Mackall
Date: Thu May 07 2009 - 13:00:11 EST
On Thu, May 07, 2009 at 05:16:27PM +0200, Florian Weimer wrote:
> * Matt Mackall:
>
> > On Wed, May 06, 2009 at 09:48:20AM -0700, Linus Torvalds wrote:
> >>
> >> Matt, are you willing to ack my suggested patch which adds history to the
> >> mix? Did somebody test that? I have this memory of there being an
> >> "exploit" program to show the non-randomness of the values, but I can't
> >> recall details, and would really want to get a second opinion from
> >> somebody who cares about PRNG's.
> >
> > I still don't like it. I bounced it off some folks on the adversarial
> > side of things and they didn't think it looked strong enough either.
> > Full MD5 collisions can be generated about as fast as they can be
> > checked, which makes _reduced strength_ MD4 not much better than an
> > LFSR in terms of attack potential.
>
> Well, with periodic reseeding, even that shouldn't be a problem. You
> don't need collision resistance at all, so those MD5 attacks don't
> tell you anything about the difficulty of state recovery/prediction
> attacks on your variant.
It's *not* MD5. It's a reduced-round MD4. And MD4 is already many
orders of magnitude weaker than MD5. It's so weak in fact that
collisions can be generated in O(1)[1]. Hard to get much weaker than
that, except by, say, using something like our reduced-round variant.
It's not much of a stretch of the imagination to think that such an
amazingly weak hash might reveal our hidden state quite rapidly,
especially when used in a feedback mode.
[1] http://eprint.iacr.org/2005/151.pdf
We have a better hash function handy, and it's only takes twice as long.
> On the other hand, most people who need a quick, unpredictable source
> of randomness seem to use RC4 with a random key initialized from a
> more costly source.
Using a stream cipher is a fine idea. Ted and I have recently
discussed adding this as a layer to the stock RNG. We haven't used it
historically because of a) export restrictions and b) unsuitability of
the cryptoapi interface.
> Oh, and you should really, really ditch that Tausworthe generator (in
> lib/random32.c).
I'm not responsible for that particular bad idea.
--
Mathematics is the supreme nostalgia of our time.
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/