Re: [dsfjdssdfsd] What has gone wrong with RNGs in practice
Nick Mathewson <nickm@torproject.org> Sun, 17 November 2013 03:04 UTC
Return-Path: <nick.a.mathewson@gmail.com>
X-Original-To: dsfjdssdfsd@ietfa.amsl.com
Delivered-To: dsfjdssdfsd@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3A9411E8125 for <dsfjdssdfsd@ietfa.amsl.com>; Sat, 16 Nov 2013 19:04:43 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 0.251
X-Spam-Level:
X-Spam-Status: No, score=0.251 tagged_above=-999 required=5 tests=[AWL=0.740, BAYES_05=-1.11, FM_FORGED_GMAIL=0.622, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DaqrvsFRE4lJ for <dsfjdssdfsd@ietfa.amsl.com>; Sat, 16 Nov 2013 19:04:43 -0800 (PST)
Received: from mail-la0-x235.google.com (mail-la0-x235.google.com [IPv6:2a00:1450:4010:c03::235]) by ietfa.amsl.com (Postfix) with ESMTP id ED30511E80E9 for <dsfjdssdfsd@ietf.org>; Sat, 16 Nov 2013 19:04:42 -0800 (PST)
Received: by mail-la0-f53.google.com with SMTP id ea20so3939108lab.12 for <dsfjdssdfsd@ietf.org>; Sat, 16 Nov 2013 19:04:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:in-reply-to:references:date:message-id:subject :from:to:content-type; bh=I9jRN9soYB13qfW3CyvuR+2bIo+8jTuV/5uRg4dYZ8M=; b=fQfnznCAwitmAVm5PLogblLyzHt6lcLAGvY0pYgRVjY3r5akWzuRqdBeb7daiWb5fS f7HI3Gk/QKA/eKOk1v2rh0F1rct3TpNC+s+OWIcZMrebHa1BM2zFow9N668L6PMQjlK8 MgagQ3Odr4oLFLfqQgqRgDGOOYL7SL5IZGz5IAWLx8iP38KR9hxFC7SZ4yqn6wCU6ab8 PnDvZKgdMsiTloHVmL0gPH6rn5JZp9SVk1Q9UaMHzv7d1+BSnfd28B65HMQybOuuQCDP zzWFMiHVFUE+VKM1T2DpR8Y7WBWdh5G6i27ph7dxKkIq1RZeWqOTsXhSJoHPKf/fz7Gp IB2g==
MIME-Version: 1.0
X-Received: by 10.152.27.67 with SMTP id r3mr676445lag.50.1384657481511; Sat, 16 Nov 2013 19:04:41 -0800 (PST)
Sender: nick.a.mathewson@gmail.com
Received: by 10.112.75.165 with HTTP; Sat, 16 Nov 2013 19:04:41 -0800 (PST)
In-Reply-To: <CAKDKvuw6EovCf6sv5SsY=NBqYKWxc1K9yV4TZjNFbHXBrt6rDQ@mail.gmail.com>
References: <CAKDKvuw6EovCf6sv5SsY=NBqYKWxc1K9yV4TZjNFbHXBrt6rDQ@mail.gmail.com>
Date: Sat, 16 Nov 2013 22:04:41 -0500
X-Google-Sender-Auth: dO1YpzfOzsSSj07WHdPtRY1kFOk
Message-ID: <CAKDKvuwWddj_fB5HSYnSsO3qMZVcnsFRDWPySroGoCaXmKrNYw@mail.gmail.com>
From: Nick Mathewson <nickm@torproject.org>
To: dsfjdssdfsd@ietf.org
Content-Type: text/plain; charset="ISO-8859-1"
Subject: Re: [dsfjdssdfsd] What has gone wrong with RNGs in practice
X-BeenThere: dsfjdssdfsd@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "The dsfjdssdfsd list provides a venue for discussion of randomness in IETF protocols, for example related to updating RFC 4086." <dsfjdssdfsd.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dsfjdssdfsd>
List-Post: <mailto:dsfjdssdfsd@ietf.org>
List-Help: <mailto:dsfjdssdfsd-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dsfjdssdfsd>, <mailto:dsfjdssdfsd-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 17 Nov 2013 03:04:43 -0000
On Fri, Nov 15, 2013 at 11:36 AM, Nick Mathewson <nickm@torproject.org> wrote: > Hi! [....] > G. Using the same RNG state to generate two bitstreams. > > Example: The SecureRandom structure in Android was initialized once, > and then used as the initial SecureRandom for multiple processes. This > led to a large compromise in Android bitcoin wallets. [7] > > Example: Python had the same problem [8]: the same RNG state was used > after fork. I have received a correction for this one. The original reporter of the Python bug (Christian Heimes) informs me that the bug is not in the main Python secure RNG (which just reads /dev/urandom or the local equivalent), but in OpenSSL's RNG as used in Python, which ought to be reseeded or invalidated on fork() when Python is using OpenSSL, but which is difficult to reset from an at_fork() handler because of issues as discussed in [14]. Additionally, Tanja Lange mentioned [12] another category of real-world vulnerability as discussed in [13]. These might be called: J. Using unreliable hardware entropy sources directly rather than as inputs to a PRNG. (The cautious behavior is to design your PRNG such that it produces good outputs if its inputs have *ever* been random enough.) or K. Omitting run-time tests for hardware entropy sources While some failures are undetectable, it's just tempting fate to omit tests for detectable failures of hardware components. [12] https://twitter.com/hyperelliptic/status/401831967177461760 [13] http://smartfacts.cr.yp.to/analysis.html [14] http://bugs.python.org/issue19227 best wishes, -- Nick
- Re: [dsfjdssdfsd] What has gone wrong with RNGs i… Dan Brown
- [dsfjdssdfsd] What has gone wrong with RNGs in pr… Nick Mathewson
- Re: [dsfjdssdfsd] What has gone wrong with RNGs i… Stephen Farrell
- Re: [dsfjdssdfsd] What has gone wrong with RNGs i… Theodore Ts'o
- Re: [dsfjdssdfsd] What has gone wrong with RNGs i… Arnold Reinhold
- Re: [dsfjdssdfsd] What has gone wrong with RNGs i… Russ Housley
- Re: [dsfjdssdfsd] What has gone wrong with RNGs i… Nick Mathewson
- Re: [dsfjdssdfsd] What has gone wrong with RNGs i… Nick Mathewson
- Re: [dsfjdssdfsd] What has gone wrong with RNGs i… Arnold Reinhold
- Re: [dsfjdssdfsd] What has gone wrong with RNGs i… Nick Mathewson