Mercurial > dropbear
view libtomcrypt/notes/tech0004.txt @ 1306:34e6127ef02e
merge fixes from PuTTY import.c
toint() from misc.c
(revids are from hggit conversion)
changeset: 4620:60a336a6c85c
user: Simon Tatham <[email protected]>
date: Thu Feb 25 20:26:33 2016 +0000
files: import.c
description:
Fix potential segfaults in reading OpenSSH's ASN.1 key format.
The length coming back from ber_read_id_len might have overflowed, so
treat it as potentially negative. Also, while I'm here, accumulate it
inside ber_read_id_len as an unsigned, so as to avoid undefined
behaviour on integer overflow, and toint() it before return.
Thanks to Hanno Böck for spotting this, with the aid of AFL.
(cherry picked from commit 5b7833cd474a24ec098654dcba8cb9509f3bf2c1)
Conflicts:
import.c
(cherry-picker's note: resolving the conflict involved removing an
entire section of the original commit which fixed ECDSA code not
present on this branch)
changeset: 4619:9c6c638d98d8
user: Simon Tatham <[email protected]>
date: Sun Jul 14 10:45:54 2013 +0000
files: import.c ssh.c sshdss.c sshpubk.c sshrsa.c
description:
Tighten up a lot of casts from unsigned to int which are read by one
of the GET_32BIT macros and then used as length fields. Missing bounds
checks against zero have been added, and also I've introduced a helper
function toint() which casts from unsigned to int in such a way as to
avoid C undefined behaviour, since I'm not sure I trust compilers any
more to do the obviously sensible thing.
[originally from svn r9918]
changeset: 4618:3957829f24d3
user: Simon Tatham <[email protected]>
date: Mon Jul 08 22:36:04 2013 +0000
files: import.c sshdss.c sshrsa.c
description:
Add an assortment of extra safety checks.
[originally from svn r9896]
changeset: 4617:2cddee0bce12
user: Jacob Nevins <[email protected]>
date: Wed Dec 07 00:24:45 2005 +0000
files: import.c
description:
Institutional failure to memset() things pointed at rather than pointers.
Things should now be zeroed and memory not leaked. Spotted by Brant Thomsen.
[originally from svn r6476]
changeset: 4616:24ac78a9c71d
user: Simon Tatham <[email protected]>
date: Wed Feb 11 13:58:27 2004 +0000
files: import.c
description:
Jacob's last-minute testing found a couple of trivial bugs in
import.c, and my attempts to reproduce them in cmdgen found another
one there :-)
[originally from svn r3847]
changeset: 4615:088d39a73db0
user: Simon Tatham <[email protected]>
date: Thu Jan 22 18:52:49 2004 +0000
files: import.c
description:
Placate some gcc warnings.
[originally from svn r3761]
changeset: 4614:e4288bad4d93
parent: 1758:108b8924593d
user: Simon Tatham <[email protected]>
date: Fri Oct 03 21:21:23 2003 +0000
files: import.c
description:
My ASN.1 decoder returned wrong IDs for anything above 0x1E! Good
job it's never had to yet. Ahem.
[originally from svn r3479]
| author | Matt Johnston <matt@ucc.asn.au> |
|---|---|
| date | Tue, 12 Jul 2016 23:00:01 +0800 |
| parents | 1b9e69c058d2 |
| children |
line wrap: on
line source
Tech Note 0004 Using Yarrow, Fortuna and SOBER-128 Tom St Denis Introduction ------------ This tech note explains how to use three of the more useful pseudo random number generators and their own little "issues". While all of the PRNGs have the same API and are roughly used in the same manner their effectiveness really depends on the user knowing how they work. Yarrow ------ Yarrow is by far the simplest of the PRNGs. It gathers bits of entropy by hashing the pool state plus the additional bits storing the message digest back in the pool. E.g. pool = hash(pool || newbits) Simply dump bits into the PRNG via yarrow_add_entropy() and call yarrow_ready() when you want to put them to use. This PRNG while simple is not entirely safe. An attacker who learns the state of the pool and can control future events can control the PRNG. This requires an active attacker but isn't entire impossible. The pool is then used as a key for a cipher that is used in CTR mode. Yarrow is mostly meant for short-term programs [e.g. like file utils]. This particular implementation is not meant for long-term usage. Fortuna ------- Fortuna was designed by Niels Fergusson and Bruce Schneier [Bruce is also the guy who invented Yarrow]. It operates on a more defensive level than Yarrow. Instead of 1 entropy pool it has 32 and the new entropy is spread [round robin] in all of the pools. That is, each call to fortuna_add_entropy() puts the bits in the next [in the sequenece] pool of entropy. Effective bits are added to the pool by sending them through a hash [but not terminating the hash]. Here's the main catch though. When the PRNG must be reseeded [so that you can extract bits from it] only certain pools are used. More precisely the i'th pool is used every 2**i'th reseeding. For example, pool[0] is always used. pool[1] is used every second reseeding, pool[2] every fourth. The pools are hashed together along with the current key and the result is the new key for a cipher which operates in CTR mode [more about that in a sec]. Now this may seem odd at first however there is a good reason behind it. An attacker who learns pool[0] won't strictly know the other pools. So the recovery rate of is not 0. In fact pool[0] can be completely compromised and the PRNG will still eventually recover. The value FORTUNA_WD is the "WatchDog" counter. Every FORTUNA_WD calls to fortuna_read will invoke the reseed operation. By default this is set to 10 which means after 10 calls the PRNG will reseed itself. The pools are combined with the running cipher key [256 bits] so that a cipher in CTR mode can produce the stream. Unlike Yarrow the cipher is re-keyed after every call to fortuna_read() [so one big call would be faster than many smaller calls]. This prevents too much data being encrypted under the same key [and mitigates a flaw in CTR mode that the same block can't be emitted twice under the same key]. Fortuna is really meant for a kernel-level PRNG. The more sources [and often] you feed into it the healthier it will be. It's also meant to be used for long term purposes. Since it can recover from compromises it is harder to control it. SOBER-128 ------ SOBER-128 is actually a stream cipher but like most ciphers can easily be modelled in the context of a PRNG. This PRNG is extremely fast [4 cycles/byte on a P4] and was designed by a well known cryptographer [Greg Rose]. SOBER-128 doesn't really "act" like the other two PRNGs. It's meant to be seeded once and then read as required. In such a sense it isn't a "system PRNG" but useful short term purposes. In particular the sober128_read() function actually XORs against the input buffer you specify. This allows the read() function to be used as an "encrypt" function as well. You can only key SOBER-128 once [by calling sober128_add_entropy()]. Once it it is keyed subsequent calls to add_entropy() will be considered a "re-IV" operation. Changing the IV allows you to use same initial key and not produce the same output stream. It also lets you differentiate packets. E.g. each packet has it's own IV. All inputs to sober128_add_entropy() must have a length that is a multiple of four. Overall ------- Since SOBER-128 is *much* faster than the other two PRNGs a good setup would be to use Fortuna as your system-wide PRNG and use SOBER-128 [key'ed from Fortuna] for encrypting streams or as a PRNG for simulations. Yarrow is still a good candidate but only for "short lived" programs. However, since Fortuna is faster [by about 10 cycles/byte on a P4] I'd use Fortuna anyways... Tom