SipHash a fast PRF by DJB has been adopted upstream across the Linux networking stack landing in 4.11. It deprecates a lot of ancient and broken crypto like MD5 for initial sequence number hashes.
Its my guess that that timer values added in ISNs should now be indistinguishable from the rest of the hashed secret outlined in RFC-6528.[1] Can anyone knowledgeable in reading kernel code [2] please confirm that this kills clock skew extraction [3] and fingerprinting [4] described in Steven Murdoch's papers?
Its one of the advanced attacks we've been following for some time now and would be good to write it off.
***
[1] https://tools.ietf.org/html/rfc6528
[2] http://lkml.iu.edu/hypermail/linux/kernel/1701.1/00076.html
[3] http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ih05coverttcp.pdf (pages 7-8)
[4] http://sec.cs.ucl.ac.uk/users/smurdoch/papers/ccs06hotornot.pdf
On Wed, 11 Jan 2017 19:57:07 +0100 bancfc@openmailbox.org wrote:
Its my guess that that timer values added in ISNs should now be indistinguishable from the rest of the hashed secret outlined in RFC-6528.[1] Can anyone knowledgeable in reading kernel code [2] please confirm that this kills clock skew extraction [3] and fingerprinting [4] described in Steven Murdoch's papers?
The issue isn't the choice of the hash algorithm, and the patch doesn't change net/core/secure_seq.c:seq_scale() at all, nor how/when it's called.
So no, it doesn't fix the issue.
Regards,