On Wed, Aug 5, 2020 at 6:07 PM <tytso@xxxxxxx> wrote:
> That being said, it certainly is a certificational / theoretical
> weakness
random.c is filled with super suspicious things that are probably only
correct by accident, or only correct in practice, but in theory it's
just such a mess. Stupid example if I'm remembering correctly: you
fill the sha1 IV with input from rdrand; if rdrand is borked or
backdoored or whatever, then the security of sha1 there reduces to
shacal1, which isn't totally broken, far from it actually, so we're
fine there, but you can't help but look at that and say "ugh." I'll
rewrite that eventually. Anyway, having another "certificational
weakness", as you put it, that isn't a practical one would be par for
the course with random.c
> , and if the bright boys and girls at Fort Meade did figure
> out a way to exploit this, they are very much unlikely to share it at
> an open Crypto conference. So replacing LFSR-based PRnG with
> something stronger which didn't release any bits from the fast_pool
> would certainly be desireable, and I look forward to seeing what Willy
> has in mind.
This disaster is partially my fault. I was going to make
get_random_u{32,64} fast enough that we could get rid of the fake rng
stuff, and then Covid things got weird and I haven't gotten refocused
on that yet. Andy started that, and I was supposed to pick up his work
and complete it, but I dropped the ball. I kept meaning to get back to
that, but I'd get discouraged every time I saw Willy sending more
messages about improving the fake rng stuff with more fake rng stuff.
But, seems like it's time for me to step on the pedal a bit and get
that working. So hopefully we'll be able to get rid of the code in
question here, and use a good rng everywhere. I'll send an update on
that if I get it working.
Jason
