[Cryptography] Derive IV from time in ticks.
John Gilmore
gnu at toad.com
Mon Feb 6 19:49:20 EST 2023
Phillip Hallam-Baker <phill at hallambaker.com> wrote:
> Hence my interest in using ticks.
Ticks are easy for an attacker to predict (use of this and the PID was
how the Berkeley undergrad cypherpunks broke the RNG in the original
Netscape browser). See:
https://people.eecs.berkeley.edu/~daw/papers/ddj-netscape.html
Also, if you include the time among your crypto secrets, then the whole
timekeeping subsystem moves inside of your trust boundary. Can an
attacker speed up your clocks (e.g. by faking GPS signals or NTP
packets, or by influencing the AC cycle time of your power supply, or
merely heating your machine room so the crystal oscillates faster)?
Then when your machine notices it's drifted forward (eg with NTP) then
it will drop back to an earlier time and re-use a nonce? I am sure
that's not the only vulnerability.
(People have written code to predict what continent an anonymous person
using Tor is on, based on noticing over a period of time when their remote
system clocks ran faster or slower, assuming that was caused by
nighttime versus daytime temperatures.)
It's probably better to use a true random number that comes from a small
subsystem, rather than from a large and externally influenced one like
a realtime clock.
John
More information about the cryptography
mailing list