Full Disclosure mailing list archives
Re: Working exploit for Debian generated SSH Keys
From: Tonnerre Lombard <tonnerre.lombard () sygroup ch>
Date: Fri, 23 May 2008 09:48:21 +0200
Salut, Michael, On Tue, 20 May 2008 13:41:41 -0400, Michael Holstein wrote:
Smoke Detector + Webcam = cheapo RNG
We were talking about PRNGs here, which are highly complex mathematical constructs, not hardware RNGs, which are also slightly hairy though. There are a couple of books on PRNG design, and even if you read them you probably still need a couple of years to design a secure PRNG.
I know some highly secure operations (eg: web casinos, using Geiger counters and background radiation) use a version of this for their RNGs, and random.org does it with RF (radios listening to static) .. do patches exist for OpenSSL to use hardware devices? (short of a hack to take something like the above and pipe it to /dev/random, etc).
OpenSSL would probably be slightly the wrong place to do this. The BSD systems tend to have kernel drivers for various hardware random sources, XORing them into each other to eliminate the problem with weak random sources. You can then distill this through the /dev/random device. OpenSSL needs a build flag to make use of this additional random material then, I think they add a certain amount of random material to their MD on each iteration. Please note that even hardware random sources are of quite varying quality. Like you said, a Geiger counter provides you with quite high-quality random numbers since, to our knowledge, quantum effects are rather hard to predict. You can also use hard disk seek times as a RNG source, but the quality is rather poor in this case, and you should only use it in addition to other sources. Tonnerre -- SyGroup GmbH Tonnerre Lombard Solutions Systematiques Tel:+41 61 333 80 33 Güterstrasse 86 Fax:+41 61 383 14 67 4053 Basel Web:www.sygroup.ch tonnerre.lombard () sygroup ch
Attachment:
signature.asc
Description:
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Working exploit for Debian generated SSH Keys Markus Müller (May 14)
- Re: Working exploit for Debian generated SSH Keys bob harley (May 18)
- Re: Working exploit for Debian generated SSH Keys Fredrick Diggle (May 18)
- Re: Working exploit for Debian generated SSH Keys reepex (May 18)
- Re: Working exploit for Debian generated SSH Keys Ronald van der Westen (May 19)
- Re: Working exploit for Debian generated SSH Keys nicolas vigier (May 19)
- Re: Working exploit for Debian generated SSH Keys Skratz0r (May 19)
- Re: Working exploit for Debian generated SSH Keys Garrett M. Groff (May 19)
- Re: Working exploit for Debian generated SSH Keys Tonnerre Lombard (May 20)
- Re: Working exploit for Debian generated SSH Keys Michael Holstein (May 20)
- Re: Working exploit for Debian generated SSH Keys Tonnerre Lombard (May 23)
- Re: Working exploit for Debian generated SSH Keys Garrett M. Groff (May 20)
- Re: Working exploit for Debian generated SSH Keys Valdis . Kletnieks (May 20)
- Re: Working exploit for Debian generated SSH Keys bob harley (May 18)