Re: kaslr: better rng

To: Maxime Villard <max%m00nbsd.net@localhost>
Subject: Re: kaslr: better rng
From: Taylor R Campbell <campbell+netbsd-tech-kern%mumble.net@localhost>
Date: Wed, 8 Nov 2017 17:52:26 +0000

> Date: Wed, 8 Nov 2017 18:23:11 +0100
> From: Maxime Villard <max%m00nbsd.net@localhost>
> 
> Le 08/11/2017 à 18:17, Maxime Villard a écrit :
> > Le 08/11/2017 à 17:37, Taylor R Campbell a écrit :
> >> What's the advantage of (a) changing the on-disk file hierarchy and
> >> generating the data on shutdown, versus (b) leaving the on-disk file
> >> hierarchy unchanged and generating the data on boot?
> > 
> > The randomness of (b) is stronger than that of (a). But perhaps in a scale
> > that is so insignificant that we actually don't care (?).
> 
> obviously I meant the contrary: the randmoness of (a) is stronger than that
> of (b), sorry about that

There is no meaningful difference between storing a seed on disk and
storing the output of expanding that seed into a pad on disk.  Either
way the seed is derived from SHA1(entropypool) at the moment.

We can argue about how to expand the seed (AES128-CTR-DRBG, SHAKE256,
ChaCha, whatever) but the point remains the same.

(Generally I would recommend SHAKE256 for ~everything here, since
nobody will ever get fired for choosing NIST standards, and it
obviously has an higher security margin than AES128, and I have a very
small easy-to-audit implementation handy already that almost made it
into src a couple years ago anyway but for possible incompatibility
with OpenSSL's SHA-3 API in libc.)

References:
- Re: kaslr: better rng
  - From: Maxime Villard

Prev by Date: Re: kaslr: better rng
Next by Date: re: kaslr: better rng
Previous by Thread: Re: kaslr: better rng
Next by Thread: re: kaslr: better rng
Indexes:

Home | Main Index | Thread Index | Old Index