bug-gnulib
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: getrandom vs. crypto/gc-random

From: Bruno Haible
Subject: Re: getrandom vs. crypto/gc-random
Date: Mon, 01 Jun 2020 18:53:50 +0200
User-agent: KMail/5.1.3 (Linux/4.4.0-177-generic; KDE/5.18.0; x86_64; ; ) 
Hi Jeffrey,

I'm trying to state in simple-to-understand words what Simon said
about getrandom(), getentropy(), and libgcrypt.

If you have a better wording, please submit a patch.

> Nowadays it may be prudent to simply state the data returned from the
> prng should be treated as a seed and not used directly.

Why? Why would it not be OK to use it in tempname(), for example?
Whether the number come from an in-kernel pseudo-random-number generator
or from a user-mode pseudo-random-number generator, doesn't change
things.

> For folks who need crypto parameters, suggest they use
> Krawczyk's HDKF to extract the entropy from the seed and expand it.
> HKDF provides provable security properties and Krawczyk provides the
> analysis.

If the algorithm you mean is already contained libgcrypt, referring to
libgcrypt should be enough, no? If not, and if Krawczyk's algorithm
is as important as you present it, why is it not in libgcrypt?

> I would avoid labels like "low quality" and "high quality".

Is "crypto-strength", as Simon formulated it, a better term? IMO, it
requires a bit of knowledge, to understand that "crypto-strength" means
"very high quality".

Also, there are no absolute terms, I guess - since it depends on the
OS, and the OSes are getting better over time.

> It is
> impossible to judge at runtime without auditing mechanisms in place
> operating on the returned data. Even trying to pick a test at runtime
> to judge the stream is like trying to pin jello to a wall.

Do you have time to analyze the strength of getrandom() and
getentropy() on a dozen of platforms? I don't. Therefore I can't put
in more than a subjective measurement.

> Also, it looks like (to me) getrandom may suffer VM rollback attacks.
> So claiming a stream is high quality may be questionable if a reboot
> produces the same stream.

On which systems does getrandom() have this problem? Also, it surely
depends on the way it's configured. If it has a network interface to the
host machine, and the number of packets per second on that network interface
is used as an entropy source, there should be no problem.

I don't wish to enter to a time-consuming dialogue about security.
All I wish is to have a reasonably short and understandable piece of text
for the Gnulib documentation.

Bruno
reply via email to
[Prev in Thread] Current Thread [Next in Thread]