DIY RNGs [was: Re: Curious RNG stalemate [was: use of cpunks]]
Andy Isaacson
adi at hexapodia.org
Tue Oct 22 11:27:16 PDT 2013
On Tue, Oct 22, 2013 at 06:47:40PM +0200, Krisztián Pintér wrote:
> once you have your data stream in memory, you just need to use some
> whitening. that is the easy part. virtually every cryptographic
> primitive can be turned into a secure whitener.
>
> for example, i have implemented a small toy/tool to generate random
> data from the noise of the sound card. it is pretty much the same
> thing, you just replace the line-in with your data source, and the
> whitening part is done. it is for windows only. check it out here:
>
> https://github.com/krisztianpinter/rnd_wavein
It seems that rnd_wavein uses a small window (you document 256 samples
as the default). One common silent-failure mode of video capture
interfaces is to intermittently provide the same frame (around 1 MiB of
data) twice!
If your whitener doesn't chain blocks and you use the output directly as
random data (worst case, as an OTP) then a long-term repeat like that is
completely catastrophic, giving you a modern reprise of the Venona
break:
http://www.nsa.gov/about/_files/cryptologic_heritage/publications/coldwar/venona_story.pdf
If you do chain, it's merely reducing the entropy of the stream
significantly. Also it's entirely possible that an attacker can
influence the behavior of the system; depending on your threat model
either through direct physical access or by causing CPU starvation
through a network or algorithmic DoS to trigger misbehavior in the
driver.
It would be much better to implement a multi-stage entropy pool design
with catastrophic mixing, such as Schneier et al's Fortuna:
https://en.wikipedia.org/wiki/Fortuna_%28PRNG%29
> disclaimer: the old rule "don't roll your own crypto" is still in
> effect.
Indeed.
-andy
More information about the cypherpunks
mailing list