Re: [kernel-hardening] Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF

From: Jeffrey Walton
Date: Sat Dec 17 2016 - 11:14:53 EST

Next message: Ingo Molnar: "Re: [PATCH] x86/floppy: use designated initializers"
Previous message: Sebastian Reichel: "Re: [PATCH v2 00/11] add support for VBUS max current and min voltage limits AXP20X and AXP22X PMICs"
In reply to: Theodore Ts'o: "Re: [kernel-hardening] Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF"
Next in thread: Jason A. Donenfeld: "Re: [kernel-hardening] Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> As far as half-siphash is concerned, it occurs to me that the main
> problem will be those users who need to guarantee that output can't be
> guessed over a long period of time. For example, if you have a
> long-running process, then the output needs to remain unguessable over
> potentially months or years, or else you might be weakening the ASLR
> protections. If on the other hand, the hash table or the process will
> be going away in a matter of seconds or minutes, the requirements with
> respect to cryptographic strength go down significantly.

Perhaps SipHash-4-8 should be used instead of SipHash-2-4. I believe
SipHash-4-8 is recommended for the security conscious who want to be
more conservative in their security estimates.

SipHash-4-8 does not add much more processing. If you are clocking
SipHash-2-4 at 2.0 or 2.5 cpb, then SipHash-4-8 will run at 3.0 to
4.0. Both are well below MD5 times. (At least with the data sets I've
tested).

> Now, maybe this doesn't matter that much if we can guarantee (or make
> assumptions) that the attacker doesn't have unlimited access the
> output stream of get_random_{long,int}(), or if it's being used in an
> anti-DOS use case where it ultimately only needs to be harder than
> alternate ways of attacking the system.
>
> Rekeying every five minutes doesn't necessarily help the with respect
> to ASLR, but it might reduce the amount of the output stream that
> would be available to the attacker in order to be able to attack the
> get_random_{long,int}() generator, and it also reduces the value of
> doing that attack to only compromising the ASLR for those processes
> started within that five minute window.

Forgive my ignorance... I did not find reading on using the primitive
in a PRNG. Does anyone know what Aumasson or Bernstein have to say?
Aumasson's site does not seem to discuss the use case:
https://www.google.com/search?q=siphash+rng+site%3A131002.net. (And
their paper only mentions random-number once in a different context).

Making the leap from internal hash tables and short-lived network
packets to the rng case may leave something to be desired, especially
if the bits get used in unanticipated ways, like creating long term
private keys.

Jeff

Next message: Ingo Molnar: "Re: [PATCH] x86/floppy: use designated initializers"
Previous message: Sebastian Reichel: "Re: [PATCH v2 00/11] add support for VBUS max current and min voltage limits AXP20X and AXP22X PMICs"
In reply to: Theodore Ts'o: "Re: [kernel-hardening] Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF"
Next in thread: Jason A. Donenfeld: "Re: [kernel-hardening] Re: [PATCH v5 1/4] siphash: add cryptographically secure PRF"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]