[Cfrg] how to ensure unpredictability (or non-repeatingness) in the presence of restarts or rollbacks
zooko@zooko.com Wed, 10 January 2007 18:45 UTC
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1H4iRn-0004QE-Tk; Wed, 10 Jan 2007 13:45:15 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1H4iRm-0004Q9-OM for cfrg@irtf.org; Wed, 10 Jan 2007 13:45:14 -0500
Received: from netra.revealsystems.net ([209.97.224.17]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1H4iRk-0007VT-DK for cfrg@irtf.org; Wed, 10 Jan 2007 13:45:14 -0500
Received: from yumyum.zooko.com (DSL_POOL_3-248.revealsystems.net [209.97.232.248] (may be forged)) by Netra.revealsystems.net (8.13.3+Sun/8.13.3) with ESMTP id l0AIgeTl012902; Wed, 10 Jan 2007 11:42:42 -0700 (MST)
Received: from yumyum.zooko.com (yumyum.zooko.com [127.0.0.1]) by yumyum.zooko.com (Postfix) with ESMTP id A89A6A99; Wed, 10 Jan 2007 11:45:20 -0700 (MST)
To: Wei Dai <weidai@weidai.com>
From: zooko@zooko.com
In-reply-to: <ec22d0e20701100620t37e77e70mda14d1c73930731@mail.gmail.com>
References: <ec22d0e20701100620t37e77e70mda14d1c73930731@mail.gmail.com>
Comments: In-reply-to "Wei Dai" <weidai@weidai.com> message dated "Wed, 10 Jan 2007 22:20:34 +0800."
Date: Wed, 10 Jan 2007 11:45:20 -0700
Message-Id: <20070110184520.A89A6A99@yumyum.zooko.com>
X-Spam-Score: 0.2 (/)
X-Scan-Signature: 7aafa0432175920a4b3e118e16c5cb64
Cc: cfrg@irtf.org
Subject: [Cfrg] how to ensure unpredictability (or non-repeatingness) in the presence of restarts or rollbacks
X-BeenThere: cfrg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: zooko@zooko.com
List-Id: Crypto Forum Research Group <cfrg.ietf.org>
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:cfrg@ietf.org>
List-Help: <mailto:cfrg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@ietf.org?subject=subscribe>
Errors-To: cfrg-bounces@ietf.org
Wei Dai wrote: > > First of all it seems necessary to abandon the use of counter-based and > other state-derived nonces, and return to either random nonces or > deterministic cryptography. Until we have operating system support (perhaps > an API to designate a memory buffer or file as protected from rollbacks?) > it's hard to see how we can safely use state-derived nonces when state > rollbacks are a possibility. (By the way, this problem is already present in non-virtual systems -- see below.) If the guest code could detect that a rollback (or equivalently a crash-and-restart), then it could update its sensitive state -- that state which is required to be unpredictable or perhaps only non-repeating -- in response to that event. The update in response to restart would have to be distinct from any update that might be applied in the absence of restart. For example, if you are storing a counter of e.g. 160 bits in order to generate non-repeating numbers, and you are incrementing it each time you are asked for another number, then every time you restart you would add 2^80. An equivalent scheme would work for unpredictable state, e.g. when updating the unpredictable state during normal (non-restart) operation, you set new_state = MAC(secret_key_1, old_state), and when updating the state in response to a restart operation, you set new_state = MAC(secret_key_2, old_state). The point is that as long as guest code can reliably detect restart events, then it doesn't require much support from the host in order to maintain non-repeatingness or unpredictability -- notification of restart is sufficient. Note that this also obviates the need for expensive "durable write" of updates to your persistent state during normal operation. Indeed, given this design, one might as well never write the state back to disk except during restart (at which point you do indeed require expensive durable write). Unfortunately guest code cannot reliably detect such events in current VMware, as far as I know. (One might attempt to hack it by watching the hardware clock closely to see if it jumps ahead. One redeeming feature of that hack would be that a false alarm which causes you to update your state as if you had restarted when you hadn't doesn't cost much.) Note that this problem is already present without virtualization -- operating system random pools e.g. Linux's /dev/random might deliver the same "unpredictable" state more than once in a row due to a crash and restart. The techniques described above ought to protect /dev/random from such a failure but that isn't currently done as far as I know. Regards, Zooko _______________________________________________ Cfrg mailing list Cfrg@ietf.org https://www1.ietf.org/mailman/listinfo/cfrg
- RE: [Cfrg] how to guard against VM rollbacks Hallam-Baker, Phillip
- Re: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Jon Callas
- [Cfrg] how to guard against VM rollbacks Wei Dai
- [Cfrg] Re: how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Hal Finney
- [Cfrg] how to ensure unpredictability (or non-rep… zooko
- Re: [Cfrg] how to guard against VM rollbacks Peter Gutmann
- Re: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Ariel Waissbein
- Re: [CFRG] how to guard against VM rollbacks Phillip Rogaway
- Re: [Cfrg] how to guard against VM rollbacks Paul Hoffman
- Re: [Cfrg] how to guard against VM rollbacks Peter Gutmann
- Re: [Cfrg] how to guard against VM rollbacks Hal Finney
- Re: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Ariel Waissbein
- Re: [Cfrg] how to guard against VM rollbacks Mark Baugher
- RE: [Cfrg] how to guard against VM rollbacks Hallam-Baker, Phillip
- Re: [Cfrg] how to guard against VM rollbacks Hal Finney
- [Cfrg] Re: how to guard against VM rollbacks Simon Josefsson
- Re: [Cfrg] Re: how to guard against VM rollbacks Hal Finney
- Re: [Cfrg] Re: how to guard against VM rollbacks Steven M. Bellovin
- Re: [Cfrg] Re: how to guard against VM rollbacks Jon Callas
- [Cfrg] RE: how to guard against VM rollbacks Hallam-Baker, Phillip
- RE: [Cfrg] Re: how to guard against VM rollbacks Hallam-Baker, Phillip
- RE: [Cfrg] Re: how to guard against VM rollbacks Hallam-Baker, Phillip
- [Cfrg] Re: how to guard against VM rollbacks Simon Josefsson
- Re: [Cfrg] Re: how to guard against VM rollbacks Hal Finney
- Re: [Cfrg] Re: how to guard against VM rollbacks Mark Baugher
- Re: [Cfrg] how to guard against VM rollbacks Peter Gutmann
- RE: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks Wei Dai
- Re: [Cfrg] how to guard against VM rollbacks David McGrew