On Thu, 22 Dec 2016 00:02:11 +0100 "Jason A. Donenfeld" <Jason@xxxxxxxxx> wrote: > SipHash is a 64-bit keyed hash function that is actually a > cryptographically secure PRF, like HMAC. Except SipHash is super fast, > and is meant to be used as a hashtable keyed lookup function, or as a > general PRF for short input use cases, such as sequence numbers or RNG > chaining. > > For the first usage: > > There are a variety of attacks known as "hashtable poisoning" in which an > attacker forms some data such that the hash of that data will be the > same, and then preceeds to fill up all entries of a hashbucket. This is > a realistic and well-known denial-of-service vector. Currently > hashtables use jhash, which is fast but not secure, and some kind of > rotating key scheme (or none at all, which isn't good). SipHash is meant > as a replacement for jhash in these cases. > > There are a modicum of places in the kernel that are vulnerable to > hashtable poisoning attacks, either via userspace vectors or network > vectors, and there's not a reliable mechanism inside the kernel at the > moment to fix it. The first step toward fixing these issues is actually > getting a secure primitive into the kernel for developers to use. Then > we can, bit by bit, port things over to it as deemed appropriate. > > While SipHash is extremely fast for a cryptographically secure function, > it is likely a bit slower than the insecure jhash, and so replacements > will be evaluated on a case-by-case basis based on whether or not the > difference in speed is negligible and whether or not the current jhash usage > poses a real security risk. > > For the second usage: > > A few places in the kernel are using MD5 or SHA1 for creating secure > sequence numbers, syn cookies, port numbers, or fast random numbers. > SipHash is a faster and more fitting, and more secure replacement for MD5 > in those situations. Replacing MD5 and SHA1 with SipHash for these uses is > obvious and straight-forward, and so is submitted along with this patch > series. There shouldn't be much of a debate over its efficacy. > > Dozens of languages are already using this internally for their hash > tables and PRFs. Some of the BSDs already use this in their kernels. > SipHash is a widely known high-speed solution to a widely known set of > problems, and it's time we catch-up. > > Signed-off-by: Jason A. Donenfeld <Jason@xxxxxxxxx> > Cc: Jean-Philippe Aumasson <jeanphilippe.aumasson@xxxxxxxxx> > Cc: Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> > Cc: Eric Biggers <ebiggers3@xxxxxxxxx> > Cc: David Laight <David.Laight@xxxxxxxxxx> > Cc: Eric Dumazet <eric.dumazet@xxxxxxxxx> The networking tree (net-next) which is where you are submitting to is technically closed right now. -- To unsubscribe from this list: send the line "unsubscribe linux-crypto" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html