[cryptography] random number generator

Kevin kevinsisco61784 at gmail.com
Sat Nov 22 12:20:29 EST 2014


On 11/22/2014 4:08 AM, James A. Donald wrote:
> On 2014-11-22 03:01, dj at deadhat.com wrote:
>>
>>> Rather than me listing "names", why not just let it rip and run your 
>>> own
>>> randomness tests on it?
>>
>> Because that won't tell me if you are performing entropy extraction.
>>
>> Jytter assumes an x86 machine with multiple asynchronous clocks and
>> nondeterministic physical devices. This is not a safe assumption. Linux
>> assumes entropy in interrupt timing and this was the result
>> https://factorable.net/weakkeys12.extended.pdf.
>>
>> This falls under the third model of source in my earlier email. Your
>> extractor might look simple, but your system is anything but simple and
>> entropy extracted from rdtsc and interrupts amounts to squish.
>>
>> Looking at the timing on your system and saying "it looks random to me"
>> does not cut it. Portable code has to have a way to know system 
>> timing is
>> random on every platform it runs on. The above paper shows that it 
>> isn't.
>>
>> Jytter does something neat but the broad claims you are making and the
>> broader claims the Jytter web site makes do not pass the sniff test.
>
>
> By and large, usually, interrupt timing is somewhat random, and, if 
> not random, unknowable to the adversary.
>
> But this is not guaranteed, and likely to be untrue if you have 
> several identical systems, such as routers, which need randomness at 
> boot up. All your routers are likely to wind up generating keys from a 
> rather small set of possible keys.
>
> It is extremely easy to get true randomness, or at least randomness 
> unknowable to the adversary.  It is extremely hard to get true 
> randomness reliably in an unknown or arbitrary system. You really have 
> to tinker your entropy collection to your situation, to your 
> particular system.
>
> 128 bits of entropy is enough for forever, so the big problem is start 
> up.
>
> A long running system is bound to have plenty of entropy - anything 
> more than 128 is plenty.  So if it writes a unique secret key to each 
> boot up image, and each boot up has access to a good approximation to 
> the current time, we are golden.
>
>
> _______________________________________________
> cryptography mailing list
> cryptography at randombit.net
> http://lists.randombit.net/mailman/listinfo/cryptography
If this was already brought up I apologize, but how about looking into 
the NIST Randomness Beacon?


-- 
Kevin


---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com



More information about the cryptography mailing list