[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Random #'s via serial port dongle?

Steve Bellovin writes:

(quoting me and Perry)

> 	 Timothy C. May says:
> 	 > I don't think generating random numbers is all that much of a
> 	 > priority. The Blum-Blum-Shub C code is available, and I defy anyone 
> 	to
> 	 > break _that_ PRNG!
> 	 Its partially a question of speed. Many applications, like one time
> 	 pads, are just too slow to generate random strings for given normal
> 	 techniques. Its partially a question of automation -- I'd like to be
> 	 able to generate public/private key pairs on a regular basis and its
> 	 hard to do given all the goddamn typing. Its partially a question of
> 	 abstract hacker satisfaction -- one would like to know that one's
> 	 numbers are RANDOM.
> That isn't a matter of ``abstract hacker satisfaction''.  That's a very
> strong security requirement:  how do you *know* that your keys are
> random?
> Tim May suggested using Blum-Blum-Shub.  Fine -- but how are you going
> to seed it?  That's why I want real random numbers -- as a seed to
> Blum-Blum-Shub or quintuple IDEA or MD5 composed with SHS' or whatever.
> I probably wouldn't use the random numbers in raw form, though -- and
> no one else does, either; the real random number generators I've seen
> all incorporate some sort of scrambling function.

My point, not shown above, was not that a good RNG based on physical
sources isn't needed. I would in fact buy one, if only for playing
with it, if it was cheap enough (the $25 numbers sounded reasonable).

Rather, my main point was that we've seen this proposal for a RNG
dongle at least 4 or 5 times before. Sort of like the t-shirt
proposals, except with t-shirts the problems are simpler, the pathway
clearer, and eventually someone goes ahead and starts the process and
t-shirts come out the other end.

With crypto dongles discussed here over the past year and a half,
there is typically a flurry of "wouldn't it be nice" and "it ought to
be easy to reverse bias a diode" and "what about alpha particles?"
posts and "why doesn't someone do it?" messages, and,
then.....silence. Until the next flurry, of course.

I have not called for a cheap RNG, so I am not obligated to put up or
shut up. For those who have claimed it ought to be easy, here's your

(I worry less about random numbers because I believe an attack on
one's PGP messages is much, much likelier to come from inadvertent
revealing of one's key and passphrase, through the usual means, than
through an attack based on the nonmaximal entropy of the random
numbers generated. But if better random numbers are essentially
free... Of course, there's then the possibility that one's RNG dongle
is actually generating nonrandom bits--maybe NIST and NSA can license
RNGs and sell "Ripper" chips?)

I'll commit right now to paying $25 for a serial port dongle that
"looks like" a standard serial port device (a modem, for example,
looking like a modem hooked up at 19,200 or better to the Cosmic
Random Number). It won't even have to have drivers to talk to
it...I'll buy the dongle first and worry about that later. (The dongle
must meet certain basic requirements, such as outputting bits of the
right amplitude. No RS-232 connectors with 1K resistors soldered
across the pins, please.)

--Tim May

Timothy C. May         | Crypto Anarchy: encryption, digital money,  
[email protected]       | anonymous networks, digital pseudonyms, zero
408-688-5409           | knowledge, reputations, information markets, 
W.A.S.T.E.: Aptos, CA  | black markets, collapse of governments.
Higher Power: 2^859433 | Public Key: PGP and MailSafe available.
"National borders are just speed bumps on the information superhighway."