On Wed, Aug 5, 2020 at 6:07 PM tytso@mit.edu wrote:
That being said, it certainly is a certificational / theoretical weakness
random.c is filled with super suspicious things that are probably only correct by accident, or only correct in practice, but in theory it's just such a mess. Stupid example if I'm remembering correctly: you fill the sha1 IV with input from rdrand; if rdrand is borked or backdoored or whatever, then the security of sha1 there reduces to shacal1, which isn't totally broken, far from it actually, so we're fine there, but you can't help but look at that and say "ugh." I'll rewrite that eventually. Anyway, having another "certificational weakness", as you put it, that isn't a practical one would be par for the course with random.c
, and if the bright boys and girls at Fort Meade did figure out a way to exploit this, they are very much unlikely to share it at an open Crypto conference. So replacing LFSR-based PRnG with something stronger which didn't release any bits from the fast_pool would certainly be desireable, and I look forward to seeing what Willy has in mind.
This disaster is partially my fault. I was going to make get_random_u{32,64} fast enough that we could get rid of the fake rng stuff, and then Covid things got weird and I haven't gotten refocused on that yet. Andy started that, and I was supposed to pick up his work and complete it, but I dropped the ball. I kept meaning to get back to that, but I'd get discouraged every time I saw Willy sending more messages about improving the fake rng stuff with more fake rng stuff. But, seems like it's time for me to step on the pedal a bit and get that working. So hopefully we'll be able to get rid of the code in question here, and use a good rng everywhere. I'll send an update on that if I get it working.
Jason