Re: depleting the random number generator

1999-07-18 Thread Russell Nelson
John Denker writes: The bad part is that Whitney has already gobbled up quite a few bits of entropy from /dev/random before the slightest bit of authentication is attempted. You're presuming that you're using the standard Linux version of /dev/random. You could quite easily write a driver

Re: depleting the random number generator

1999-07-18 Thread Eugene Leitl
bram writes: Most of the fancy reseedable PRNG schemes people have come up with are based on using secure hashes. They are sure validated, but are they the best we can do? MD5, the nonplusultra, really?

Re: depleting the random number generator

1999-07-18 Thread Eugene Leitl
bram writes: I'm not sure if anybody's yarrowified /dev/random yet - I think someone from coderpunks was working on it. Does anybody know how cellular automata perform re cryptographically solid random number generators? They can crank out a lot of integers with a minimum investment in

Re: depleting the random number generator

1999-07-18 Thread bram
On Sat, 17 Jul 1999, Eugene Leitl wrote: Does anybody know how cellular automata perform re cryptographically solid random number generators? They can crank out a lot of integers with a minimum investment in instructions executed. Most of the fancy reseedable PRNG schemes people have come up

Re: depleting the random number generator

1999-07-18 Thread James A. Donald
-- At 04:45 PM 7/17/99 -0400, John Denker wrote: Step 2) The attacker endlessly iterates step 1. This is easy. AFAIK there is no useful limit on how often new applications can be made. This quickly exhausts the entropy pool on Whitney. The attacker can only "exhaust" the entropy pool

Re: depleting the random number generator

1999-07-18 Thread Bill Stewart
At 10:04 PM 7/17/99 -0700, Mike Brodhead wrote: Step 3a) If Whitney is getting key material from /dev/random, the result is a denial of service. All the IPsec tunnels will time out and will be replaced slowly or not at all, because of the entropy shortage. seems to me that the reason the

Re: depleting the random number generator

1999-07-18 Thread bram
On Sun, 18 Jul 1999, Bill Stewart wrote: /dev/urandom will give you pseudo-random bits if it's run out of entropy, so you've got the security risks inherent in that. As David Honig points out, you can't avoid those alternatives, Yes you can, if there's a 'pool' of entropy in memory which

Re: depleting the random number generator

1999-07-18 Thread Donald E. Eastlake 3rd
RFC 1750 recommends the Blum Blum Shub generator. Donald From: bram [EMAIL PROTECTED] Date: Sat, 17 Jul 1999 16:18:20 -0700 (PDT) To: Eugene Leitl [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] In-Reply-To: [EMAIL PROTECTED] Message-ID: [EMAIL PROTECTED] Content-Type: TEXT/PLAIN;

Re: depleting the random number generator

1999-07-18 Thread Ben Laurie
David Honig wrote: At 04:45 PM 7/17/99 -0400, John Denker wrote: Hi Folks -- I have a question about various scenarios for an attack against IPsec by way of the random number generator. The people on the linux-ipsec mailing list suggested I bring it up here. ..worries that