[Courses] [security] Random number generators
Raven Alder
raven at oneeyedcrow.net
Thu Aug 15 16:35:09 EST 2002
Heya --
Quoth Val Henson (Thu, Aug 15, 2002 at 12:16:40PM -0600):
> > "Random" typing usually results in people mashing the middle of the
> > keyboard a lot, and in quick succession.
> >
> > I've not seen any attacks based on this in particular, but I am
> > reasonably convinced that it could be done.
>
> Actually, the programs I've used that requested random input this way
> use the interval of time between keystrokes for random input, rather
> than the actual characters typed.
Right, I know OpenSSH works on timing, but I believe there are
others that use the actual character input. And even with timing,
that's going to be predictable. Not as much so as seeding with system
time or some correspondence with the state of the system that an outside
attacker could influence or guess, but I'd bet on there being noticable
patterns.
I know there have been attacks based on timing of keystrokes for
programs where each typed character is sent one at a time -- apparantly
there's a measurable difference between how people type "the" and how
they type "and", in terms of how long it takes to hit the keys (and so,
how far apart they're sent down the wire). Folks attempt to use these
differences to guess the plaintext, and that makes deciphering the
cipher easier.
If you're asked to provide random input, I think it likely that
there would be some predictable pattern as to how far apart the
keystrokes were. It's probably getting into middling paranoia to think
that breaking a cipher because of this is feasible, but it should be
possible in theory.
Cheers,
Raven
"Do you know where the RSA t-shirt is?"
"No."
"Well, I need the algorithm, so I'm doing laundry."
-- me and RavenBlack
More information about the Courses
mailing list