[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

FWD: Hot and cold running randomness



The following article was on RISKS Digest.
Obviously it's not usable for cryptographic randomness,
since you can't trust the path to be safe from eavesdroppers
(even if you're using SSL/RC4-128, can you trust the far end?
or from denial of service attacks (so be careful about wiring it in),
but sometimes you just want a good-quality random number to seed things,
such as a simulation program, and it might not be a bad thing to
hash in to your entropy pool with locally-derived sources.
------------------------------

Date: Mon, 10 Mar 1997 13:10:36 -0800
From: [email protected] (Dan Wing)
Subject: Hot and cold running randomness

TBTF's 9 Mar 1997 issue carried this item:

#..Hot and cold running randomness
#
#    Perhaps for the first time, anyone with an Internet connection can
#    tap a source of true randomness. The creator of HotBits [16], John
#    Walker <[email protected]>, describes it as
#
#      > an Internet resource that brings genuine random numbers, 
#      > generated by a process fundamentally governed by the inherent
#      > uncertainty in the quantum mechanical laws of nature, directly
#      > to your computer... HotBits are generated by timing successive
#      > pairs of radioactive decays... You order up your serving of
#      > HotBits by filling out a [Web] request form... the HotBits
#      > server flashes the random bytes back to you over the Web.
#
#    Walker modified an off-the-shelf radiation detector to interface to
#    a PC-compatible serial port, and ran a cable three floors down from
#    his office to a converted 70,000-litre subterranean water cistern
#    with metre-thick concrete walls, where the detector nestles with a
#    60-microcurie Krypton-85 radiation source.
#
#    If you're in the mood for an anti-Microsoft rant of uncommon eloquence,
#    Walker can supply that too [17].
#
#    Thanks to Keith Bostic <[email protected]> for the word on this 
#    delightful service.
#
#    [16] <URL:http://www.fourmilab.ch/hotbits/>
#    [17] <URL:http://www.fourmilab.ch/hotbits/source/hotbits-c.html>

An interesting idea, but hopefully no will use it -- it is too easily
spoofed via DNS, and the host itself could be hacked to return the same
'random' number all the time.  (Maybe after we have IPsec, SecDNS, _and_ you
trust the host we could use services like this on the Internet).

Dan Wing  [email protected]

------------------------------


#			Thanks;  Bill
# Bill Stewart, +1-415-442-2215 [email protected]
# You can get PGP outside the US at ftp.ox.ac.uk/pub/crypto/pgp
#     (If this is a mailing list, please Cc: me on replies.  Thanks.)