Re: DRBG parallel requests

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Am Donnerstag, 16. April 2015, 22:44:55 schrieb Herbert Xu:

Hi Herbert, Rafael,

>Hi Stephan:
>
>Currently you can have two users of DRBG issuing requests in
>parallel and end up using the same internal state.  The only
>difference between them is the cycle counter that you inject
>into the DRBG.
>
>I can't see how this is safe as the cycle counter contains minimal
>entropy.  The whole DRBG scheme depends on the fact that states
>are not reused so surely this is a very bad thing?
>
>I think we should just stick with locking the entire generation
>function.

Ok, I can certainly add such a lock. That would simply the code significantly 
as the entire business with the shadow copy goes away.

However, before I aired the DRBG, Rafael reviewed the DRBG. Initially I had 
such a "global" lock during the operation of the DRBG. Rafael's strongest 
comment was to remove the lock in favor of the shadow approach considering 
that this approach scales much better.

Surely, the shadow approach scales better than a global lock. But its drawback 
is the (almost) identical state.

Rafael: do you have any better idea here other than remove the shadow copy 
approach and use a global lock?
>
>The only users of RNG in the crypto API do so in process context
>so we can make it a rule that all users RNG must be in process
>context.

Herbert, which type of lock am I allowed to use? Is a spin lock sufficient or 
shall I use a mutex. I am not fully sure whether the used shash or cipher type 
can sleep.
>
>Cheers,


Ciao
Stephan
--
To unsubscribe from this list: send the line "unsubscribe linux-crypto" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html




[Index of Archives]     [Kernel]     [Gnu Classpath]     [Gnu Crypto]     [DM Crypt]     [Netfilter]     [Bugtraq]

  Powered by Linux