Re: linux random capabilities ...
On Wed, Jul 31, 2002 at 07:51:03PM +1000, Jean-Francois Dive wrote: hello people, i was talking to a friend, and he was describing the inability of PC based security devices to have proper pseudo-random number generation. This sounds to me that i needed some investigation. My general question is: does someone ever heard about any type of cryptographic attack using flaws in the random number generation ? Is there (even therically) possibilites to be able to guess those numbers ? I know that some protocols add some more randomness (like ipsec, using the last cyphered block in the antropy pool etc..), but i'd like to have a clear idea on how secure those mechanims are. Short answer: Linux mainly uses interrupt timings as an entropy source, from devices that are fairly unpredictable. Assuming those are secure, the entropy pool is protected by a SHA hash of it's state when something needs random bits. (afaik) a SHA hash has no know weaknesses, with the exception of brute force which is simply too big to attempt. Long answer: read drivers/char/random.c from your nearest linux source tree. Finally, i read here and there some work on hardware random generation devices (based on radio activity readings, or diods based devices or whatever), is there anyone with some experience with those ? -- Adam Olsen, aka Rhamphoryncus
Re: linux random capabilities ...
On Wednesday 31 July 2002 06:08, Adam Olsen wrote: Short answer: Linux mainly uses interrupt timings as an entropy source, from devices that are fairly unpredictable. Assuming those are secure, the entropy pool is protected by a SHA hash of it's state when something needs random bits. (afaik) a SHA hash has no know weaknesses, with the exception of brute force which is simply too big to attempt. untrue, consider the attack against Netscape's ssl implementation consider: Ian Goldberg and David Wagner, Randomness and the Netscape Browser, Dr.Dobbs Journal, January 1996, p.66 http://www.ddj.com/documents/s=965/ddj9601h/9601h.htm Long answer: read drivers/char/random.c from your nearest linux source tree. Finally, i read here and there some work on hardware random generation devices (based on radio activity readings, or diods based devices or whatever), is there anyone with some experience with those ? yeah, I dont' know much about it but an article exists on P4's with a PRNG on them.. If anyone can provide some more feedback on this I'd love to hear them out, I myself have not had time to read the article I'm about to link or do any research on this whatso ever. www.g0thead.com/papers/Cryptography/IntelRNG.pdf www.g0thead.com/ssl_notes.txt unfinished research on ssl - I apologize on any wrong information provided in this text as I said it's unfinished research and all comments/corrections/flames are welcome :) -- -- Orlando Padilla http://www.g0thead.com/xbud.asc 'A woman drove me to drink and I didn't even have the courtesy to thank her' -wa --
Re: linux random capabilities ...
Jean-Francois Dive [EMAIL PROTECTED] wrote: i was talking to a friend, and he was describing the inability of PC based security devices to have proper pseudo-random number generation. This sounds to me that i needed some investigation. My general question is: does someone ever heard about any type of cryptographic attack using flaws in the random number generation ? There is no such thing as randomness. Only order of infinite complexity. - _The Holographic Universe_, Michael Talbot Apparently there was an attack on early Netscape browsers that attacked the PRNG; see http://www.counterpane.com/yarrow.html There's a white paper on the topic there too. I think TCP sequence number prediction might be another example - see http://www.engarde.com/software/seqnum.php The linux kernel keeps an `entropy pool', which is stirred every time you press a key, access the disk, move the mouse, and with a patch from Robert Love's site (http://www.tech9.net/rml/linux/), every time the network is used too (very necessary for servers in racks IMHO). You can get random numbers out via /dev/random or /dev/urandom. These are cryptographically strong, though they don't come out at one hell of a rate. Unless, of course, your Intel motherboard has a hardware entropy collector (gets its numbers from ambient heat fluctuations, apparently). And you have turned that option on in the Linux kernel compile. In the userspace side of things, there's the Math::TrulyRandom Perl module, which uses fluctuations in the system timer to get some of that much-loved entropy. This takes some time but also produces pretty good random numbers. -- Sam Vilain, [EMAIL PROTECTED] WWW: http://sam.vilain.net/ 7D74 2A09 B2D3 C30F F78E GPG: http://sam.vilain.net/sam.asc 278A A425 30A9 05B5 2F13 The end move in politics is always to pick up a gun. BUCKMINSTER FULLER
Re: linux random capabilities ...
On Wed, Jul 31, 2002 at 10:26:36AM -0500, Orlando wrote: On Wednesday 31 July 2002 06:08, Adam Olsen wrote: Short answer: Linux mainly uses interrupt timings as an entropy source, from devices that are fairly unpredictable. Assuming those are secure, the entropy pool is protected by a SHA hash of it's state when something needs random bits. (afaik) a SHA hash has no know weaknesses, with the exception of brute force which is simply too big to attempt. untrue, consider the attack against Netscape's ssl implementation consider: Ian Goldberg and David Wagner, Randomness and the Netscape Browser, Dr.Dobbs Journal, January 1996, p.66 http://www.ddj.com/documents/s=965/ddj9601h/9601h.htm Netscape doesn't use /dev/random, it uses a pseudo-random number generator. Pseudo-rngs aren't random, and the developers should be shot for doing it. Anything wanting cryptographically secure random numbers needs to use something like /dev/random. Long answer: read drivers/char/random.c from your nearest linux source tree. Finally, i read here and there some work on hardware random generation devices (based on radio activity readings, or diods based devices or whatever), is there anyone with some experience with those ? yeah, I dont' know much about it but an article exists on P4's with a PRNG on them.. If anyone can provide some more feedback on this I'd love to hear them out, I myself have not had time to read the article I'm about to link or do any research on this whatso ever. www.g0thead.com/papers/Cryptography/IntelRNG.pdf It looks like the P4 has a hardware RNG, not a psuedo-rng (which would be useless, and could be implimented in software easily). As far as the linux /dev/random is concerned, that hardware RNG is just another source of entropy. It has the advantage that it may be used in situations where there's no other source, but either way you just get random data out of it. www.g0thead.com/ssl_notes.txt unfinished research on ssl - I apologize on any wrong information provided in this text as I said it's unfinished research and all comments/corrections/flames are welcome :) -- Adam Olsen, aka Rhamphoryncus