From: Rich Felker <dalias@libc.org>
To: Adhemerval Zanella Netto <adhemerval.zanella@linaro.org>
Cc: Florian Weimer <fweimer@redhat.com>,
Yann Droneaud <ydroneaud@opteya.com>,
"Jason A. Donenfeld" <Jason@zx2c4.com>,
libc-alpha@sourceware.org, Michael@phoronix.com, jann@thejh.net
Subject: Re: arc4random - are you sure we want these?
Date: Mon, 25 Jul 2022 13:41:38 -0400 [thread overview]
Message-ID: <20220725174138.GH7074@brightrain.aerifal.cx> (raw)
In-Reply-To: <b33914f7-660a-e5c9-f77b-2f6227ea8ab8@linaro.org>
On Mon, Jul 25, 2022 at 12:59:39PM -0300, Adhemerval Zanella Netto via Libc-alpha wrote:
>
>
> On 25/07/22 12:33, Rich Felker wrote:
> >
> > If this is just a case of trying to be "cautious" about overpromising
> > things, the documentation needs fixed to specify that this is a
> > CSPRNG. I'm particularly worried about the wording "these still use a
> > Pseudo-Random generator and should not be used in cryptographic
> > contexts". *All* CSPRNGs are PRNGs. Being pseudo-random does not make
> > it not cryptographically safe. The safety depends on the original
> > source of the entropy and the practical irreversibility and other
> > cryptographic properties of the extension function. The fact that this
> > has been stated so poorly in the documentation really has me worried
> > that someone does not understand the issues. I haven't dug into the
> > list mails or actual code to determine to what extent that's the case,
> > but it's really, *really* worrying.
>
> That's the main drive to avoid calling CSPRNGs, since nor me or Florian
> is secure enough to certify current scheme can actually follow all the
> requirements. It does follow OpenBSD strategy of a fast-key-erasure
> random-number generators, although all strategies of key reseeding are
> basically heuristics.
I think the core problem here is that, in making an implementation of
a widely agreed-upon historical function with an existing working
definition of what "cryptographically secure" means of a PRNG, you're
instead positing a possibly-different definition of "CS" and saying
"it might not be CS by this new definition". This does genuine harm to
understanding of an area developers and users already understand very
very poorly.
The documentation should state that it's cryptographically secure in
the sense normally meant for arc4random, which includes not falsely
returning with "success" at early boot (no GRND_INSECURE or AT_RANDOM
fallback), but that this does not necessarily include any guarantees
about what happens in a program with undefined behavior ("hardening"
properties) or things like actively trying to prevent you from cloning
state (VM freeze/resume stuff, etc.)
> If I understand Jason argument correctly, unless we have a kernel API
> which it actually handles the buffer (so it can reseed or clear when it
> seems fit), there is no point is proving a CSPRNGs in userspace, use
> getrandom instead.
As for me, I am in favor of having the interface, and would be fine
with having it just wrap getentropy as an unlimited-length version
thereof. The value is in having a commonly agreed upon API with common
guarantees so as not to promote YOLO NIH of critical stuff like safe
fallbacks for entropy.
Rich
next prev parent reply other threads:[~2022-07-25 17:41 UTC|newest]
Thread overview: 81+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <YtwgTySJyky0OcgG@zx2c4.com>
2022-07-23 16:25 ` Jason A. Donenfeld
2022-07-23 17:18 ` Paul Eggert
2022-07-24 23:55 ` Jason A. Donenfeld
2022-07-25 20:31 ` Paul Eggert
2022-07-23 17:39 ` Adhemerval Zanella Netto
2022-07-23 22:54 ` Jason A. Donenfeld
2022-07-25 15:33 ` Rich Felker
2022-07-25 15:59 ` Adhemerval Zanella Netto
2022-07-25 17:41 ` Rich Felker [this message]
2022-07-25 16:18 ` Sandy Harris
2022-07-25 16:40 ` Florian Weimer
2022-07-25 16:49 ` Adhemerval Zanella Netto
2022-07-25 16:51 ` Jason A. Donenfeld
2022-07-25 17:44 ` Rich Felker
2022-07-25 18:33 ` Cristian Rodríguez
2022-07-25 18:49 ` Rich Felker
2022-07-27 1:54 ` Theodore Ts'o
2022-07-27 2:16 ` Rich Felker
2022-07-27 2:45 ` Theodore Ts'o
2022-07-27 11:34 ` Adhemerval Zanella Netto
2022-07-27 12:32 ` Theodore Ts'o
2022-07-27 12:49 ` Florian Weimer
2022-07-27 20:15 ` Theodore Ts'o
2022-07-27 21:59 ` Rich Felker
2022-07-28 0:30 ` Theodore Ts'o
2022-07-28 0:39 ` Cristian Rodríguez
2022-07-27 15:39 ` Rich Felker
2022-07-23 19:04 ` Cristian Rodríguez
2022-07-23 22:59 ` Jason A. Donenfeld
2022-07-24 16:23 ` Cristian Rodríguez
2022-07-24 21:57 ` Jason A. Donenfeld
2022-07-25 10:14 ` Florian Weimer
2022-07-25 10:11 ` Florian Weimer
2022-07-25 11:04 ` Jason A. Donenfeld
2022-07-25 12:39 ` Florian Weimer
2022-07-25 13:43 ` Jason A. Donenfeld
2022-07-25 13:58 ` Cristian Rodríguez
2022-07-25 16:06 ` Rich Felker
2022-07-25 16:43 ` Florian Weimer
2022-07-26 14:27 ` Overwrittting AT_RANDOM after use (was Re: arc4random - are you sure we want these?) Yann Droneaud
2022-07-26 14:35 ` arc4random - are you sure we want these? Yann Droneaud
2022-07-25 13:25 ` Jeffrey Walton
2022-07-25 13:48 ` Jason A. Donenfeld
2022-07-25 14:56 ` Rich Felker
2022-07-25 22:57 ` [PATCH] arc4random: simplify design for better safety Jason A. Donenfeld
2022-07-25 23:11 ` Jason A. Donenfeld
2022-07-25 23:28 ` [PATCH v2] " Jason A. Donenfeld
2022-07-25 23:59 ` Eric Biggers
2022-07-26 10:26 ` Jason A. Donenfeld
2022-07-26 1:10 ` Mark Harris
2022-07-26 10:41 ` Jason A. Donenfeld
2022-07-26 11:06 ` Florian Weimer
2022-07-26 16:51 ` Mark Harris
2022-07-26 18:42 ` Jason A. Donenfeld
2022-07-26 19:18 ` Adhemerval Zanella Netto
2022-07-26 19:24 ` Jason A. Donenfeld
2022-07-26 9:55 ` Florian Weimer
2022-07-26 11:04 ` Jason A. Donenfeld
2022-07-26 11:07 ` [PATCH v3] " Jason A. Donenfeld
2022-07-26 11:11 ` Jason A. Donenfeld
2022-07-26 11:12 ` [PATCH v2] " Florian Weimer
2022-07-26 11:20 ` Jason A. Donenfeld
2022-07-26 11:35 ` Adhemerval Zanella Netto
2022-07-26 11:33 ` Adhemerval Zanella Netto
2022-07-26 11:54 ` Jason A. Donenfeld
2022-07-26 12:08 ` Jason A. Donenfeld
2022-07-26 12:20 ` Jason A. Donenfeld
2022-07-26 12:34 ` Adhemerval Zanella Netto
2022-07-26 12:47 ` Jason A. Donenfeld
2022-07-26 13:11 ` Adhemerval Zanella Netto
2022-07-26 13:30 ` [PATCH v4] " Jason A. Donenfeld
2022-07-26 15:21 ` Yann Droneaud
2022-07-26 16:20 ` Adhemerval Zanella Netto
2022-07-26 18:36 ` Jason A. Donenfeld
2022-07-26 19:08 ` [PATCH v5] " Jason A. Donenfeld
2022-07-26 19:58 ` [PATCH v6] " Jason A. Donenfeld
2022-07-26 20:17 ` Adhemerval Zanella Netto
2022-07-26 20:56 ` Adhemerval Zanella Netto
2022-07-28 10:29 ` Szabolcs Nagy
2022-07-28 10:36 ` Szabolcs Nagy
2022-07-28 11:01 ` Adhemerval Zanella
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220725174138.GH7074@brightrain.aerifal.cx \
--to=dalias@libc.org \
--cc=Jason@zx2c4.com \
--cc=Michael@phoronix.com \
--cc=adhemerval.zanella@linaro.org \
--cc=fweimer@redhat.com \
--cc=jann@thejh.net \
--cc=libc-alpha@sourceware.org \
--cc=ydroneaud@opteya.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).