[cryptography] random number generator

James A. Donald jamesd at echeque.com
Sat Nov 22 04:08:31 EST 2014


On 2014-11-22 03:01, dj at deadhat.com wrote:
>
>> Rather than me listing "names", why not just let it rip and run your own
>> randomness tests on it?
>
> Because that won't tell me if you are performing entropy extraction.
>
> Jytter assumes an x86 machine with multiple asynchronous clocks and
> nondeterministic physical devices. This is not a safe assumption. Linux
> assumes entropy in interrupt timing and this was the result
> https://factorable.net/weakkeys12.extended.pdf.
>
> This falls under the third model of source in my earlier email. Your
> extractor might look simple, but your system is anything but simple and
> entropy extracted from rdtsc and interrupts amounts to squish.
>
> Looking at the timing on your system and saying "it looks random to me"
> does not cut it. Portable code has to have a way to know system timing is
> random on every platform it runs on. The above paper shows that it isn't.
>
> Jytter does something neat but the broad claims you are making and the
> broader claims the Jytter web site makes do not pass the sniff test.


By and large, usually, interrupt timing is somewhat random, and, if not 
random, unknowable to the adversary.

But this is not guaranteed, and likely to be untrue if you have several 
identical systems, such as routers, which need randomness at boot up. 
All your routers are likely to wind up generating keys from a rather 
small set of possible keys.

It is extremely easy to get true randomness, or at least randomness 
unknowable to the adversary.  It is extremely hard to get true 
randomness reliably in an unknown or arbitrary system.  You really have 
to tinker your entropy collection to your situation, to your particular 
system.

128 bits of entropy is enough for forever, so the big problem is start up.

A long running system is bound to have plenty of entropy - anything more 
than 128 is plenty.  So if it writes a unique secret key to each boot up 
image, and each boot up has access to a good approximation to the 
current time, we are golden.




More information about the cryptography mailing list