Adam Shostack (adam@homeport.org)
Fri, 9 Apr 1999 11:05:53 -0400
On Fri, Apr 09, 1999 at 09:09:28AM -0500, William H. Geiger III wrote:
| This is not to attack the authors of this program. I am sure that they
| have put quite a bit of time and effort into this program. It just seems
| odd that it has been accepted without question, after all we would not all
| switch to a new crypto algorithm without extensive peer review, why is it
| that the source of random numbers has recevied so little attention?
Because the alternatives suck, and by using a system library, you gain
the ability to fix everything at once, if a problem is found.
I'll note that the mixing function is not strong; if you know the
state of the pool at time T, it deviates away from that slowly. This
slow change of state can lead to an attacker who gets access to the
pool once having a relatively small search space for the pool as it
moves forward, and being able to track the changes. Use of a strong
mixing function to add bits makes this attack much harder. (This is
from Kelsey et al on PRNGs, and notes in the code.)
Good regular use of add_keyboard_randomness will help, by stretching
the space a bunch. It seems (from a very quick scan of the code) that
the pool gets updated regularly from mouse and keyboard. Analyzing
the performance hit of replacing the CRC function with md4 or md5
might be worthwhile anyway. (You don't need collision resistance to
get good value from this, what you really want is strong avalanching,
where as soon as a 1 bit input change has a .5 chance of affecting
each output bit, you have an optimal speed/security tradeoff.)
Adam
-- "It is seldom that liberty of any kind is lost all at once." -Hume
The following archive was created by hippie-mail 7.98617-22 on Thu May 27 1999 - 23:44:21