[Cryptography] Not so random numbers and really random ones, kinda look the same generally
Dan Kolis
dankolis at gmail.com
Tue Nov 19 13:49:32 EST 2019
Hello everyone,
Russ Allbery <eagle at eyrie.org> Noted a day ago bad random number generators
have serious consequences.
Russ A. cited an article at:
https://www.wired.com/story/blockchain-bandit-ethereum-weak-private-keys/
Describes a RNG used in Etherium ecosystem that is insanely, inconceivably
bad.
I note it is a fundamentally deceiving flaw. For instance, in a program I'm
writing a process makes a filename randomly hoping it never collides with
another issued one. Here are a few from the last few days work:
2f429f43ab9822c6d8b86d16f3f9717e bd283bb0bd4f8a4957ea7d1e010b64ed
511807071d35be60a5c74a72bcca9692 be87d15173666cb46e4993a8ddd98a29
5204d3a9eb5e9ded7272f3a0a38aea90 c223c9babb53bac1ef16b32c884918da
6c959dcfb66c8318e83b871beba0ebe4 c3637e3205b14044972b823c544566a8
705e186836e107436e2db19847d9db78 c3bb64baa1964ecd0ff7ec63e61808da
7ee10592600533e7a0132ecd5d0937e5 d027fc7d77b71a5b06d82354c39a16f6
9090c5c1e8dfb85b70686880c6526a44 e0da0c578b8a2641e3767d7fc650a2db
a5b9fe1bb248969a32946498929987d8 f167340a66c8a2436851ebf772665497
ade8f6659e7c5d9e1ed1b0069d4b8a1a f8d4972be0bc8b7d8c4abbb0a73fb7bf
Off hand, the problem is I might just say: "looking good" and get on with
it. In this apps scope, that's fine actually. But the one described in the
above ends up repeating issued hashes routinely. so this is more like this
block of filenames:
2f429f43ab9822c6d8b86d16f3f9717e bd283bb0bd4f8a4957ea7d1e010b64ed
511807071d35be60a5c74a72bcca9692 7ee10592600533e7a0132ecd5d0937e5
5204d3a9eb5e9ded7272f3a0a38aea90 6c959dcfb66c8318e83b871beba0ebe4
705e186836e107436e2db19847d9db78 c3bb64baa1964ecd0ff7ec63e61808da
7ee10592600533e7a0132ecd5d0937e5 d027fc7d77b71a5b06d82354c39a16f6
9090c5c1e8dfb85b70686880c6526a44 e0da0c578b8a2641e3767d7fc650a2db
c223c9babb53bac1ef16b32c884918da f167340a66c8a2436851ebf772665497
ade8f6659e7c5d9e1ed1b0069d4b8a1a f8d4972be0bc8b7d8c4abbb0a73fb7bf
One is repeated in the second block above. If this came from the lower
level code, for crypto its utterly useless suddenly.
You might wonder if its intentional for the Etherium thing...
Anyway, I wrote this post not to rattle on about the above, but note there
is really a fix without ANY maybe in it...
Here's a chip that measures thermal noise and makes numbers:
http://www.fdk.com/cyber-e/pi_ic_rpg100.html
Im surprised its not in some motherboards now and supported in op systems
specifically.
Of course, an A/D converter and a diode will do the same thing. But the
physiological problem as above is a route cause of super duper incredibly
bad RNG's being tolerated.
They take effort to discover. Like the famous talking Barbie said before a
recall: "Math is hard".
Also, it may be possible to cook the books and leave a signature hiding in
an otherwise random-ish hash made. For instance, I think I could make a
`unfixer-upper' that changes the hash and marks it so the S-Box makes
decoding have some detectable property. This means a program of mine would
know instantly which encrypted text will be one of my set aside ones I can
break. The marked property means perhaps only a small number of bits need
to be iterated, like for instance 2^12 and that private key will be
recovered. The conjugate of the S-Box is the point of departure for the
experiment, or crime-project, depending on your motive.... This is much
harder to detect as a black hat act then simply reusing a hash commissioned
number 100% intact. So for instance, if this was applied to Blockchain or
Etherium at the 1% level, a black hat program could reliably hyjack any of
that percentage at will with ease and without any supercomputing ...
Nothing to it. Finding properties that live thru the S-Box(es) for marking
actual messages is probably hard. But they only need to `live a little' and
be detectable statistically. If 2^12 tries are applied to a false pick, so
what.
Time for Hardware RNG's.
Of course, linux has a hook for such a thing:
`` The hw_random framework is software that makes use of a special hardware
feature on your CPU or motherboard, a Random Number Generator (RNG). The
software has two parts: a core providing the /dev/hwrng character device
and its sysfs support, plus a hardware-specific driver that plugs into that
core. ``
Source: https://www.kernel.org/doc/html/latest/admin-guide/hw_random.html
But if the hardware doesn't have it, its uncool to pretend a program is as
good, when at least some as above, are very troubling....
Funny just typing randomly on a keyboard under your direct control is much
better then an unseen program:
Regards,
Dan Kolis aka: Mr. 7ee10592600533e7a0132ecd5d0937e5
Hmmm did you notice that is the repeater, or did you think I wiggle typed
on the keyboard ?
my ref: cryptography, sent 19 Nov 2019 13:40
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.metzdowd.com/pipermail/cryptography/attachments/20191119/81e6f9ff/attachment.htm>
More information about the cryptography
mailing list