Reconsider ReseedingRng
#298
Comments
|
Because of @pitdicker's work (#281) the performance overhead should be negligible, although there would be code simplifications. I think the crux of the linked argument is that including randomness from a potentially compromised source can be dangerous, but we only use randomness from As for whether reseeding is useful, I don't know. |
|
We already don't reseed There have already been a lot of discussion around this, have you read that? I have also read that post by djb, and he mainly argues against the merit of adding entropy to an RNG. What if an attacker can control that entropy source? Still, it is a good point. But I think it applies more to the OS RNG that should consider to just stop adding entropy, so there is no risk during a (pretty hypothetical) attack an entropy sources later. In our case the entropy source is the OS RNG. Should we ever program defensively because it might have been breached? And if so, how do you know the initial seed of the RNG is ok, but later reseeds are not? Still in our case there is the argument of security in depth. Reseeding protects against for example faulty implementations, and also user space is less protected than the kernel. Also Removing |
That is not quite correct. Using both does not solve the problem, because compromising one of several entropy sources is enough, as discussed in the blog post I linked.
My bad, we are only reseeding
Why? I don't see any difference for our use case.
Should we ever program defensively because the the crypto algorithm might have been breached? How do you know reseeding fixes the breach? It is possible that an entropy source becomes compromised later. "This source was not compromised" is a weaker assumption than "this source never was and never will be compromised". This is similar to the "trust on first use" approach often used with SSH.
Is it? Currently this would mean that only
Whether or not |
Where? I'm only aware of #230. |
The attack mentions relies on the source of
We certainly can't protect all I do wonder if we should make
A lot of discussion has been badly organised. You could spend several hours reading comments in the RFCs I wrote, but I'm not sure where exactly. |
|
I am sorry, that was a little frustration from my side. Some things just have just come up several times since august last year, or at least that seems so to me. And if not in the last half year, then in the history of issues/PRs/RFC about rand to rust repro before... Actually I made a PR to remove
The RNG in the Linux kernel (what this is mostly about) is of a type we don't yet have in Rand. It has an actual entropy pool that frequently gets integrated into the state of the RNG. And the algorithms that do so have been under frequent discussion (and where not the best if I remember). What we have is a CSPRNG of which the entire that gets completely re-initialized. I have even argued for such a complete re-initialization because of the comment by djb in your first post.
Depends on how obscure the algorithm is you use 😄. For things like ChaCha I would say we are ok. What we may have to worry more about, are Rust re-implementations that can be of variable quality of algorithms. But this is not the primary argument for I believe the common way a CSPRNGs might turn out to be 'broken' is if over the course of very many runs slowly details about the RNGs internal state get revealed. If you reseed (by recreating the RNG from scratch) during this window, you prevent the vulnerability. @dhardy Again we wrote a reply at the same time 😄. |
|
Thanks a lot for the clarification! |
|
In fact, I read DJB's comments primarily as a narrower critique on algorithms, like ECDSA, that use more randomness than more deterministic algorithms, like EdDSA, because CSPRNG designers cannot fully eliminate these problems. In his example, DJB discusses a PRNG that holds x and y fixed with the adversary altering r before forcing a re-computation of H(x,y,r), but actually it frequently makes no difference if x and y are fix or exist at all. In fact, an attacker who can force reseeding, and observe, the output can always force a partially desirable output, no matter whatever else you do. There is no inherent advantage or disadvantage to doing your own entropy pool or not doing one, except.. You do want a solid entropy pool at some level, so.. If you do not believe in the kernel's pool then you should send Linus a pull request. ;) In fact, an attacker who can force new threads can do this attack independently of any All this becomes worse if the attacker can observe the x and y of course, because they can do this attack themselves "offline". You should thus be careful about using a Interestingly, there might be a use case for the otherwise useless |
|
What's the conclusion of this discussion — no actionable items? I suggested one thing but it's off-topic so I'll open another issue. |
|
Also the |
|
So we added the Then I think this issue can be closed? |
Cryptographers are arguing against using any kind of reseeding, because it can compromise security (djb). Now that we are using an accepted stream cipher, the old argument about ISAAC does not hold anymore. I think we should stop reseeding
StdRngand removeReseedingRng. This would simplify the code, improve performance and arguably improve security as well.The text was updated successfully, but these errors were encountered: