Re: RNG in a Smart Card

Enzo Michelangeli (em@who.net)
Thu, 30 Jul 1998 20:05:47 +0800

• Next message: mok-kong shen: "Re: RNG in a Smart Card"
• Previous message: Mok-Kong Shen: "Re: DSA alternative to RSA"
• In reply to: William H. Geiger III: "Re: DSA alternative to RSA"
• Next in thread: Matthias Bruestle: "Re: RNG in a Smart Card"

-----Original Message-----
From: Peter Gutmann <pgut001@cs.auckland.ac.nz>
Date: Thursday, July 30, 1998 9:05 AM

>I've just been informed of another example of a very questionable RNG.
Have a
>look at https://spk-ihb.izb-hb.de/SPK_Forchheim/index.html, the first thing
>you'll be asked to do is move your mouse a bit to generate a 128-bit
session
>key for use in Internet banking. Apparently moving your mouse in a 10cm
>straight line is enough to generate 128 bits of entropy. Java types may
want
>to look at this in a bit more detail.

Here we go.
Basically, they use as a seed an array of 100 long integers (64-bit, as it
is in Java) organized as a sequence of 25 quadruples. Each quadruple is set
by the handling of a "mouse move" event:

- the first element is loaded with the time of the event
- the second with the x coordinate
- the third with the the difference between the time of the event and the
time of the previous one
- the fourth with the y coordinate

The "StatusIndikator" is just the index in the array after each event, wich
explains why it's always multiple of four :-) Here's the code (part of the
izb.ib200.Init class):

    public boolean mouseMove(Event event, int i1, int j)
    {
        if (event == null || alClSeedStartBuffer == null)
            return true;
        if (iClMouseMoveCounter < 25)
        {
            int k = iClMouseMoveCounter * 4;
            alClSeedStartBuffer[k] = event.when;
            alClSeedStartBuffer[k + 1] = event.x;
            alClSeedStartBuffer[k + 2] = event.when - lClLastEventWhen;
            alClSeedStartBuffer[k + 3] = event.y;
            lClLastEventWhen = event.when;
            int i2 = Math.min(k, 99);
            statusbar.setStatus((double)i2 / 100.0);
        }
        else if (iClMouseMoveCounter == 25)
        {
            statusbar.setStatus(1.0);
            showMessage("Anwendung wird gestartet...");
        }
        else if (iClMouseMoveCounter == 26)
        {
            HomebankingPage.strClCurrentPage = "";
            turnToPage("Registration");
        }
        iClMouseMoveCounter++;
        return true;
    }

So, just for fun I inserted code to dump the 25 quadruple. A typical run
gives:

901797390500 576 901797390500 313
901797392090 575 1590 313
901797392150 574 60 313
901797392200 572 50 311
901797392200 564 0 310
901797392260 562 60 309
901797392310 560 50 307
901797392370 558 60 306
901797392370 557 0 305
901797392420 555 50 304
901797392420 554 0 303
901797392420 548 0 302
901797392480 547 60 301
901797392480 541 0 300
901797392530 535 50 298
901797392530 527 0 296
901797392590 521 60 295
901797392640 519 50 294
901797392700 505 60 286
901797392700 497 0 285
901797392810 496 110 284
901797392810 488 0 278
901797392860 482 50 276
901797392860 480 0 274
901797392920 480 60 273

The applet was run with AppletViewer of SDK 1.1.5 under Windows 98. Note
that the time is incremented in 40, 50 or 60 msec blocks: this appears to be
due to the implementation of System.currentTimeMillis(), or, better, of the
underlying Win32 implementation in Win95/98 (I've been told that in NT it's
finer-grained).

For the cryptographic stuff, they seem to use classes part of a package
called xpresso131 (I couldn't find any reference on the web).

Enzo

• Next message: mok-kong shen: "Re: RNG in a Smart Card"
• Previous message: Mok-Kong Shen: "Re: DSA alternative to RSA"
• In reply to: William H. Geiger III: "Re: DSA alternative to RSA"
• Next in thread: Matthias Bruestle: "Re: RNG in a Smart Card"