[Cryptography] What's a Plausible Attack On Random Number Generation?

Bill Frantz frantz at pwpconsult.com
Sat Nov 2 00:16:23 EDT 2013


On 11/1/13 at 6:25 AM, jsd at av8n.com (John Denker) wrote:

>-- Even if it works in a datacenter, network timing doesn't 
>work for a handheld device that powers up with no network 
>connectivity at all.

The finger swipe used to wake up an iPhone provides a bunch of entropy.

If we assume that the swipe takes 250 milliseconds and we sample 
the finger x,y position every 100 microseconds then we get 2500 
samples. The screen resolution is 960x640. The finger will 
travel at least 500 pixels horizontally with a vertical 
uncertainty of at least 800 pixels. (Yes, I tried it. The swipe 
works over almost the whole vertical extent of the screen.)

We will see 1 pixel of horizontal motion approximately once 
every 5 samples. The exact sample pair where we see it provides 
the horizontal entropy, or 500 bits for the swipe. The vertical 
motion will provide a few more bits of entropy -- say about 200 
for starting position and another 50 for up/down motion.

It shouldn't be hard to seed a random number generator from just 
the wakeup swipe.

[I'm all in favor of seed pools, etc. etc. etc. The more sources 
the better. But high precision UI event timings are really hard 
to guess, even with a camera watching the interaction.]

Cheers - Bill

-------------------------------------------------------------------------
Bill Frantz        | Airline peanut bag: "Produced  | Periwinkle
(408)356-8506      | in a facility that processes   | 16345 
Englewood Ave
www.pwpconsult.com | peanuts and other nuts." - Duh | Los Gatos, 
CA 95032



More information about the cryptography mailing list