Re: [cryptography] random number generator

Sat, 22 Nov 2014 09:21:07 -0800 

On 11/22/2014 4:08 AM, James A. Donald wrote:

On 2014-11-22 03:01, d...@deadhat.com wrote:



Rather than me listing "names", why not just let it rip and run your 
own

randomness tests on it?


Because that won't tell me if you are performing entropy extraction.

Jytter assumes an x86 machine with multiple asynchronous clocks and
nondeterministic physical devices. This is not a safe assumption. Linux
assumes entropy in interrupt timing and this was the result
https://factorable.net/weakkeys12.extended.pdf.

This falls under the third model of source in my earlier email. Your
extractor might look simple, but your system is anything but simple and
entropy extracted from rdtsc and interrupts amounts to squish.

Looking at the timing on your system and saying "it looks random to me"

does not cut it. Portable code has to have a way to know system 
timing is
random on every platform it runs on. The above paper shows that it 
isn't.


Jytter does something neat but the broad claims you are making and the
broader claims the Jytter web site makes do not pass the sniff test.




By and large, usually, interrupt timing is somewhat random, and, if 
not random, unknowable to the adversary.



But this is not guaranteed, and likely to be untrue if you have 
several identical systems, such as routers, which need randomness at 
boot up. All your routers are likely to wind up generating keys from a 
rather small set of possible keys.



It is extremely easy to get true randomness, or at least randomness 
unknowable to the adversary.  It is extremely hard to get true 
randomness reliably in an unknown or arbitrary system. You really have 
to tinker your entropy collection to your situation, to your 
particular system.



128 bits of entropy is enough for forever, so the big problem is start 
up.



A long running system is bound to have plenty of entropy - anything 
more than 128 is plenty.  So if it writes a unique secret key to each 
boot up image, and each boot up has access to a good approximation to 
the current time, we are golden.



_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography

If this was already brought up I apologize, but how about looking into 
the NIST Randomness Beacon?



--
Kevin


---
This email is free from viruses and malware because avast! Antivirus protection 
is active.
http://www.avast.com

_______________________________________________
cryptography mailing list
cryptography@randombit.net
http://lists.randombit.net/mailman/listinfo/cryptography
























					Reply via email to