[PATCH]
Jean-Luc Cooke
jlcooke at certainkey.com
Fri Aug 6 14:54:27 CEST 2004
On Fri, Aug 06, 2004 at 12:42:38AM -0400, James Morris wrote:
> On Fri, 6 Aug 2004, Jean-Luc Cooke wrote:
>
> > James,
> > Back to your question:
> > I want to replace the legacy MD5 and the incorrectly implemented SHA-1
> > implementations from driver/char/random.c
>
> Incorrectly implemented? Do you mean not appending the bit count?
That and it's not endian-correct. There are other issues with random.c (lack
for forward secrecy in the case of seed discovery, use of the insecure MD4 in
creating syn and seq# for tcp, the use of halfMD4 and twothridsMD4 is
madness
(what is 2/3's of 16!?!), the use of LFSRs for "mixing" when they're linear,
the polymonials used are not even primitive, the ability for root to wipe-out
the random pool, the ability for root to access the random seed directly, the
paper I'm co-authoring will explain all of this).
Basically, the paper will be describing about 12 security problems with the
current random.c and propose (with patch included) a new design that solves
all of these, uses crypto-api, uses known crypto primitives, is simpler to
read
and analyse and for a bonus is 2x to 4x faster in adding and retrieving data
from the pool.
If I can avoid scatter-gather for what is effectively just mixing bytes with
SHA256
& AES256 then this would make things very neat and tidy (read: easier for
peer review)
Cheers,
JLC
More information about the CryptoAPI
mailing list