-----BEGIN PGP SIGNED MESSAGE-----
At 07:08 PM 6/5/00 -0700, [EMAIL PROTECTED] wrote:
>So I'm curious about what all methods do folks currently use (on NT
>and unix) to generate a random seed in the case where user
>interaction (e.g. the ol' mouse pointer waving or keyboard tapping
>approaches) isn't a viable option?
If the machine has a microphone, you can get some unpredictable bits
from internal noise in the circuit, and also from real noise in the
room the computer's in. There's probably a tiny bit of entropy
available even in the worst case imaginable from network packet
arrival times, if you can get them. And Jack Lacy and Matt Blaze did
some clever stuff with something called ``truerand,'' which tries to
measure clock jitter between the CPU clock and the external clock
used to get the time of day. Peter Gutmann's cryptographic library
has OS polls that seem to have some entropy in them, even without
user interaction, presumably ultimately based on hard drive timings,
clock jitter, etc. Hard drive timings can also provide some
unpredictable bits.
In all cases, the hard thing is knowing *how much* entropy you're
getting. This is an involvolved problem when you know the machine
and configuration and neighborhood of your target system. It becomes
very, very difficult when you deal with estimating entropy for
platforms and configurations you've never even heard of. Be
conservative estimating entropy.
There are some big things to remember dealing with entropy and
seeding a PRNG:
a. Don't fall prey to the iterative guessing attack. That is, don't
feed in a little entropy, then generate an output, then feed in a
little more, then generate another output, etc. This is like hashing
your passphrase one character at a time, and publishing all the
intermediate hashes--it makes an attacker's job easy. Instead, spend
a lot of time collecting entropy up front, from as many independent
sources as you can. I think a good rule of thumb is to collect about
twice as much as you need from two independent sources, according to
your best estimates, before reseeding. (That is, since you really
need about 80-90 bits, try to collect around 160 from two sources.)
b. Collect some unique information from your system, e.g.,
configuration, registry file hash, etc. This serves the same purpose
as a salt in a password file, and may include information that is out
of reach for many attackers.
c. If you have any persistent, long-term secrets, use them in a
hashed form. Passphrases are okay for this, but the really great
thing is if you have a private key--hash that private key along with
a timestamp, and you have a secret value that's unguessable, and
won't leak any information about your private key unless someone
inverts the hash function.
d. Keep a seed file if you can, so that you don't have to spend
forever accumulating enough entropy to use.
e. Don't try to guarantee full entropy for each session key for
something like IPSec--it just doesn't make sense in most contexts.
Instead, spend lots of time getting to a secure starting point, and
then use something like triple-DES in counter mode to generate
outputs.
f. If you can manage it, find some code from someone else who's
wrestled with this problem. Neither /dev/random nor Gutmann's
Cryptlib PRNG are perfect, but they're both lots better than you're
likely to do on your own in a short time. If you're using Windows,
there's some code for an old version of Yarrow (our PRNG) on the
counterpane website; it's not being actively maintained, but Ari did
some stuff to collect entropy from the OS. Some people are
implementing more recent versions of Yarrow (Yarrow-160), but I don't
know of anyone with code available right now.
>thanks,
>
>JeffH
- --John Kelsey, [EMAIL PROTECTED]
If you're interested, we wrote some papers on this stuff. See
http://www.counterpane.com and follow the links. In particular, we
did a paper on cryptanalyzing various PRNGs, and another on designing
Yarrow-160.
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 6.5.1 Int. for non-commercial use
<http://www.pgpinternational.com>
Comment: foo
iQCVAwUBOTyzESZv+/Ry/LrBAQHIiwP9ETL3t9x8f6QhaFql5iC1BCgYWFkljpFT
1X39gRrz+HymVw8qkvWuW+V0h9sG1310UDj9pOXbwqn1bsc8YF/adF7DvgW3lCSA
IYGrPMT9c8NBODPR5xfkKCTlWA6Z7bvMlWci3XW0OpkCi/VrVBXcG2iWZzT/EE9y
FRagq8d2Tn8=
=YYUG
-----END PGP SIGNATURE-----
