[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Cryptokit.Random unsuitable in cooperative multithreaded systems

Agreed; I'm being conservative about key generation and assuming that any key may be persisted. This is too strong for most transient protocols uses such as DH. Many of the libraries (eg the IP ID generator) can get very far on a little randomness and stirring.

My worry is in the other direction about the OpenSSL stub domain that Dave wants as an interim measure until we have an OCamlSSL. We need to pull in a suitable rng for pvxen before even considering that...

Anil

On 24 Apr 2013, at 21:08, Stephen Dolan <stedolan@xxxxxxxxxxxx> wrote:

There are two distinct scenarios for key generation - generating a long lived key (say, an SSH host key that's persisted to disk and "never" changes) for which /dev/random is the right choice, and generating immediate keys for an automated process (e.g. SSL session keys), for which /dev/urandom is probably better. It's the same RNG that /dev/random uses, and it's not significantly more reversible than whatever crypto you're generating keys for. The trivial DoS from opening lots of connections and handshaking until the entropy pool runs dry is a much bigger security risk than using /dev/urandom for key generation.


On Wed, Apr 24, 2013 at 8:29 PM, Anil Madhavapeddy <anil@xxxxxxxxxx> wrote:
Mirage is just a collection of libraries, so we need to split up random number usage into a few scenarios:

- Cryptokit requires strong random numbers for key generation, so it uses /dev/random in UNIX and blocks.  Key generation is probably the only case where we want to use this.

- Other applications just want good-enough random sources, so in UNIX/Mirage we would use /dev/urandom, and in Xen/Mirage we would need an arc4random stirring pool and scavenge whatever we can get from the PV interfaces.

It's not clear to me what the best strategy is for key generation in Xen at the moment.  It does make me wonder if it's worth generating a bunch of SSH keys on Amazon EC2 and inspect their quality (although presumably, SSH uses /dev/random for this and should just be slow about key generation on Xen).  The latest Ivy Bridge chipsets do have hardware RNGs that should show up in a PV guest too.

-anil

On 24 Apr 2013, at 18:49, Stephen Dolan <stedolan@xxxxxxxxxxxx> wrote:

> Shouldn't Mirage be using /dev/urandom anyway? I don't think /dev/random is a good idea for anything non-interactive, it's too easy to DoS.
>
> Stephen
>
>
> On Wed, Apr 24, 2013 at 6:34 PM, Daniel BÃnzli <daniel.buenzli@xxxxxxxxxxxx> wrote:
>
>
> Le mardi, 23 avril 2013 Ã 15:28, Anil Madhavapeddy a Ãcrit :
>
> > Cryptokit's a pretty important project, particularly to Mirage. If I remember right, it moved to the Forge after Sylvain took over maintainership. The last release was June 2012, so it doesn't seem totally unmaintained.
>
> Well the original author seems even active at the moment:
>
> https://forge.ocamlcore.org/forum/forum.php?forum_id=875
>
> Daniel
>
>

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.