Re: [PATCH] random: mix all saved registers into entropy pool

From: JÃrn Engel
Date: Wed May 21 2014 - 16:31:24 EST


On Wed, 21 May 2014 21:39:05 +0200, Andi Kleen wrote:
>
> > I think leaking of private keys or similar information is not a
> > concern. But please prove me wrong. Better you now than someone else
> > later.
>
> While I don't have a concrete exploit it seems seems dangerous to me.
> The LibreSSL people just removed a similar behavior from OpenSSL.

Similar, yes. But there is a difference:
Unconditionally mixing your private key into the entropy pool yields
zero entropy. While your private is hopefully unpredictable to an
attacker, it never changes. OpenSSL mixed the private keys for no
benefit.

The reason why I want this patch in is to avoid a different
non-theoretical dangerous situation. get_cycles() returns 0 on
several architectures and Ted's recent "improvements" are thus far
only noise. Architectures could define random_get_entropy() to
something else, but no architecture does it. Therefore we have
millions of embedded systems with interrupts as their sole entropy
source and jiffies as the only timestamp component.

To top it off, those same systems usually lack a read-write filesystem
and will not initialize /dev/random from state read out before the
last reboot. Now try to estimate how much time has to pass since
reboot until those systems have accumulated 128 bits of entropy. I
have not heard an estimate from anyone yet.

If you have an alternative approach to fix this very real problem
without potentially leaking private keys under conditions that also
allow more efficient attacks, I would love to know about it. So far
this is my best attempt and it beats all alternatives I know about.
Which just shows you how horrible the alternatives are.

Also see:
http://blog.fefe.de/?ts=ada960dc
https://factorable.net/weakkeys12.extended.pdf

JÃrn

--
The art of propaganda is not telling lies, but rather selecting
the truth you require and giving it mixed up with some truths
the audience wants to hear.
-- Richard Crossman
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/