I want to add: On Mon, Dec 11, 2017 at 2:01 PM, Kyle Rose <kr...@krose.org> wrote: > It's not clear that this will make its way into the entropy pool > before use unless the hypervisor and guest kernel have some explicit > interaction to re-seed the entropy pool before resumption.
...and unless applications pull new entropy from this pool for every single PRNG iteration, something I think is not done by userspace PRNGs more complicated than "read directly from /dev/urandom". The application would need to be aware of the resumption, or add expected-distinct input to the PRNG as a matter of course (e.g., timestamp). And even then, there's still a race condition depending on the order of operations. The more I look into this, the more convinced I am that SIV-like constructions are the only way to entirely avoid catastrophic loss of security. To otherwise deal completely with the problem of VM cloning involves the invasive complexity of layer violation. That said, I don't think we want to take that step at this late date, but we should recognize the benefits and limitations of adding nonces and look into adding GCM-SIV (and related) cipher modes as future TEPs. Kyle _______________________________________________ Tcpinc mailing list Tcpinc@ietf.org https://www.ietf.org/mailman/listinfo/tcpinc
