Mailing List Archive

On Fri, Dec 04, 1998 at 07:34:40PM -0500, John A. Martin wrote:
> Do the dire RNG warnings below arise because the kludge RNG is used
> when signing a file or just because a gpg compiled with the kludge was
> started?

Hrrrm... You do need a random number (160 bits) for DSA signatures.

From Applied Crypto: "If Eve ever recovers a k that Alice used to sign a
message, perhaps by exploiting some properties of the random-number
generator that generated k, she can recover Alice's private key, x."

So, yes, the warning is there for a reason.

You should be able to sign with PGP5 and have GPG verify it though.
It's not fully free, but it's better to be safe.

--
Brian Moore | "The Zen nature of a spammer resembles
Sysadmin, C/Perl Hacker | a cockroach, except that the cockroach
Usenet Vandal | is higher up on the evolutionary chain."
Netscum, Bane of Elves. Peter Olson, Delphi Postmaster

brian moore <bem@cmc.net> writes:

> On Fri, Dec 04, 1998 at 07:34:40PM -0500, John A. Martin wrote:
>> Do the dire RNG warnings below arise because the kludge RNG is used
>> when signing a file or just because a gpg compiled with the kludge was
>> started?

> Hrrrm... You do need a random number (160 bits) for DSA signatures.

Sigh. O.K. Thanks for the response. Unfortunately that pretty much
eliminates any use we have for gnupg until something gets fixed for
BSDI.

>> From Applied Crypto: "If Eve ever recovers a k that Alice used to sign a
> message, perhaps by exploiting some properties of the random-number
> generator that generated k, she can recover Alice's private key, x."

> So, yes, the warning is there for a reason.

> You should be able to sign with PGP5 and have GPG verify it though.
> It's not fully free, but it's better to be safe.

There isn't a version of PGP5 I particularly trust or have tested, but
I suppose that's what we'll have to use.

>>>>> "sb" == SL Baur
>>>>> "Re: fwd: What good is this really going to be?"
>>>>> 05 Dec 1998 04:20:19 -0800

>> Hrrrm... You do need a random number (160 bits) for DSA
>> signatures.

sb> Sigh. O.K. Thanks for the response. Unfortunately that
sb> pretty much eliminates any use we have for gnupg until
sb> something gets fixed for BSDI.

Is there any possibility of porting the linux random device driver to
BSDI? Isn't that what other *BSDs have done?

jam

Is there any chance of using the code in the Math-Trulyrandom Perl
module for platforms w/o a /dev/random? The license for the code in
question is:

/*
* Physically random numbers (very nearly uniform)
* D. P. Mitchell
* Modified by Matt Blaze 2/95
*/
/*
* The authors of this software are Don Mitchell and Matt Blaze.
* Copyright (c) 1995 by AT&T.
* Permission to use, copy, and modify this software without fee
* is hereby granted, provided that this entire notice is included in
* all copies of any software which is or includes a copy or
* modification of this software and in all copies of the supporting
* documentation for such software.
*
* This software may be subject to United States export controls.
*
* THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY
* REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY
* OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE.
*/

It goes on to say that you get about 16 bits of pseudo-entropy out of
each 32 bit return value, and to run it through a post-whitening
function like DES or MD5 to ensure uniform diffusion of said entropy.

Cf the truerand.c file in
<URL:http://www.cpan.org/authors/id/GARY/Math-TrulyRandom-1.0.tar.gz>.

-JimC
--
James H. Cloos, Jr. <http://www.jhcloos.com/cloos/pgp_public_key.txt>
<cloos@jhcloos.com> E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6

"James H. Cloos Jr." <cloos@jhcloos.com> writes:

> Is there any chance of using the code in the Math-Trulyrandom Perl

I do not see that this is a cryptographic strong RNG

> module for platforms w/o a /dev/random? The license for the code in

BTW Theodore Ts'o's /dev/random driver has a BSD license and it should
therefore be possible to put it into BSDI.


Werner

Gee, I don't know... Don works for Microsoft now...

cloos@jhcloos.com said:
> Is there any chance of using the code in the Math-Trulyrandom Perl
> module for platforms w/o a /dev/random? The license for the code in
> question is:

> * The authors of this software are Don Mitchell and Matt Blaze.
> * Copyright (c) 1995 by AT&T.

On Sun, Dec 06, 1998 at 06:17:46PM +0100, Werner Koch wrote:
> "James H. Cloos Jr." <cloos@jhcloos.com> writes:
>
> > Is there any chance of using the code in the Math-Trulyrandom Perl
>
> I do not see that this is a cryptographic strong RNG

How do you feel about the one in rndunix? It seems to work (though a bit
noisy and sorta nasty on load). It at least doesn't stamp 'INSECURE!' on
a key I just made.

I'd be willing to contribute something to snarf a bunch of bytes from
/dev/audio on Solaris (would have to be suid-root to do that, but
shouldn't be too hard to make safe).

I think some of the residuals from NTP may be useful as well (the
fractional seconds in reftime, for example:
reftime=ba1835f7.03041000 Tue, Dec 8 1998 15:34:15.011, poll=9)

--
Brian Moore | "The Zen nature of a spammer resembles
Sysadmin, C/Perl Hacker | a cockroach, except that the cockroach
Usenet Vandal | is higher up on the evolutionary chain."
Netscum, Bane of Elves. Peter Olson, Delphi Postmaster

On Tue, Dec 08, 1998 at 03:35:56PM -0800, brian moore wrote:

> I'd be willing to contribute something to snarf a bunch of bytes
> from /dev/audio on Solaris (would have to be suid-root to do that,
> but shouldn't be too hard to make safe).

How about putting this functionality into an external helper
program? This can be made secure and suid root without too much
risk. GPG could invoke this program and communicate over a pipe:
GPG writes a number, and the "random source program" replies with
the corresponding number of random bytes. Markus Kuhn has something
really nice along these lines for his one-time password system.
Should be somewhere around on:

http://www.cl.cam.ac.uk/~mgk25/

tlr
--
Thomas Roessler · 74a353cc0b19 · dg1ktr · http://home.pages.de/~roessler/
2048/CE6AC6C1 · 4E 04 F0 BC 72 FF 14 23 44 85 D1 A1 3B B0 73 C1

bem@cmc.net (brian moore) writes:
> I'd be willing to contribute something to snarf a bunch of bytes from
> /dev/audio on Solaris (would have to be suid-root to do that, but
> shouldn't be too hard to make safe).
>
> I think some of the residuals from NTP may be useful as well (the
> fractional seconds in reftime, for example:
> reftime=ba1835f7.03041000 Tue, Dec 8 1998 15:34:15.011, poll=9)

You could hook more stuff into rndunix ("ntpq -c rv") in the big table of "fun
random stuff" (I'm particularly fond of the wget lavarand one). It might be
worth considering copying the RNG code into a separate long-running daemon,
with a unix socket or something from which to read the random data. Basically
a user-space implementation of /dev/random. Should work for any unixish
system. You could then have a script that read from the random process and
add that script into the rndunix table.

Having the daemon always running in the background gathering entropy would
also make it a lot faster..

-Brian (Warner)

On Wed, Dec 09, 1998 at 01:19:03AM +0100, Thomas Roessler wrote:
> On Tue, Dec 08, 1998 at 03:35:56PM -0800, brian moore wrote:
>
> > I'd be willing to contribute something to snarf a bunch of bytes
> > from /dev/audio on Solaris (would have to be suid-root to do that,
> > but shouldn't be too hard to make safe).
>
> How about putting this functionality into an external helper
> program? This can be made secure and suid root without too much
> risk. GPG could invoke this program and communicate over a pipe:
> GPG writes a number, and the "random source program" replies with
> the corresponding number of random bytes. Markus Kuhn has something
> really nice along these lines for his one-time password system.
> Should be somewhere around on:

Absolutely. I ran truss on 'sar' and found its secret. 'man kstats'
if you've got a Slugaris box handy. A whole slew of uselessly
meaningless numbers that cycle around counting meaningless things!
Which, is, of course, a good source of entropy.

Try this on Slugaris (stolen mostly from the man page :)):


/*
* print a bunch of kernel numbers for random seeds
*
* compile with: gcc -lkstat -o random random.c
*/


#include <kstat.h>
#include <stdio.h>

/* for TYPE_IO, the most interesting numbers seem to be wtime:
hrtime_t wtime; ... cumulative wait (pre-service) time
... in nanoseconds!

Needless to say, this cycles fast. */

int main(int argc, char **argv)
{
kstat_ctl_t *kc;
kstat_t *ksp;
kstat_io_t kio;

kc = kstat_open();
for (ksp = kc->kc_chain; ksp != NULL; ksp = ksp->ks_next) {
if (ksp->ks_type == KSTAT_TYPE_IO) {
kstat_read(kc, ksp, &kio);
fprintf(stderr, "%ld %ld %ld %ld\n",
kio.reads, kio.writes,
kio.rtime, kio.wtime);
}
}

}

No suid needed, and that kio.wtime looks really really cool in its
randomness. I'll start dumping a whole slew of useless and silly
numbers (maybe for counters using the low three or four digits, but for
things like kio.wtime let it have the whole thing since it seems really
noisy and useless).

There are tons and tons of numbers to print. Not as good as a real
/dev/random, but not bad either. It'll certainly give rndunix some
stuff to chew on.

--
Brian Moore | "The Zen nature of a spammer resembles
Sysadmin, C/Perl Hacker | a cockroach, except that the cockroach
Usenet Vandal | is higher up on the evolutionary chain."
Netscum, Bane of Elves. Peter Olson, Delphi Postmaster

brian moore <bem@cmc.net> writes:

> No suid needed, and that kio.wtime looks really really cool in its
> randomness. I'll start dumping a whole slew of useless and silly

Really nice, maybe we should do a rndsolaris.


Werner