(Reseending since I accidentally sent it as HTML which the netdev
mailing list doesn't like)
On 2020-08-09 2:05 p.m., Marc Plumb wrote:
Willy,
On 2020-08-07 3:19 p.m., Willy Tarreau wrote:
If I can figure the state out once,
Yes but how do you take that as granted ? This state do
Willy,
On 2020-08-07 3:19 p.m., Willy Tarreau wrote:
On Fri, Aug 07, 2020 at 12:59:48PM -0700, Marc Plumb wrote:
If I can figure the state out once,
Yes but how do you take that as granted ? This state doesn't appear
without its noise counterpart,
Amit has shown attacks that can d
On 2020-08-07 10:43 a.m., Willy Tarreau wrote:
Which means that it's 2^32 effort to brute force this (which Amit called "no
biggie for modern machines"). If the noise is the raw sample data with only
a few bits of entropy, then it's even easier to brute force.
Don't you forget to multiply by
On 2020-08-07 12:03 a.m., Willy Tarreau wrote:
Just to give a heads up on this, here's what I'm having pending regarding
MSWS:
struct rnd_state {
uint64_t x, w;
uint64_t seed;
uint64_t noise;
};
uint32_t msws32(struct rnd_state *state)
{
uint64_t
Willy,
On 2020-08-05 11:30 p.m., Willy Tarreau wrote:
On Wed, Aug 05, 2020 at 03:21:11PM -0700, Marc Plumb wrote:
There is nothing wrong with perturbing net_rand_state, the sin is doing it
with the raw entropy that is also the seed for your CPRNG. Use the output of
a CPRNG to perturb the pool
On 2020-08-05 3:05 p.m., ty...@mit.edu wrote:
Well, technically it's not supposed to be a secure cryptographic
primitive. net_rand_state is used in the call prandom_u32(), so the
only supposed guarantee is PSEUDO random.
That being said, a quick "get grep prandom_u32" shows that there are a
Willy,
On 2020-08-05 12:38 p.m., Willy Tarreau wrote:
It's not *that* major an issue (in my personal opinion) but the current
net_rand_state is easy enough to guess so that an observer may reduce
the difficulty to build certain attacks (using known source ports for
example). The goal of this ch
Hi Willy,
On 2020-08-04 7:49 p.m., Willy Tarreau wrote:
Hi Marc,
On Tue, Aug 04, 2020 at 05:52:36PM -0700, Marc Plumb wrote:
Seeding two PRNGs with the same entropy causes two problems. The minor one
is that you're double counting entropy. The major one is that anyone who can
determin
Hi Ted,
On 2020-08-05 8:34 a.m., ty...@mit.edu wrote:
On Wed, Aug 05, 2020 at 04:49:41AM +0200, Willy Tarreau wrote:
Not only was this obviously not the goal, but I'd be particularly
interested in seeing this reality demonstrated, considering that
the whole 128 bits of fast_pool together count
Willy and Ted,
This commit has serious security flaws
f227e3ec3b5cad859ad15666874405e8c1bbc1d4
TL;DR This change takes the seed data from get_random_bytes and
broadcasts it to the network, thereby destroying the security of
dev/random. This change needs to be reverted and redesigned.
It
10 matches
Mail list logo
