Slashdot Mirror

← Back to Stories (view on slashdot.org)

NIST Updates Random Number Generation Guidelines

Posted by Soulskill on from the of-barn-doors-and-horses dept.

An anonymous reader writes: Encryption weighs heavily on the public consciousness these days, as we've learned that government agencies are keeping an eye on us and a lot of our security tools aren't as foolproof as we've thought. In response to this, the National Institute of Standards and Technology has issued a formal update to its document on how to properly generate a random number — crucial in many types of encryption. The update (as expected) removes a recommendation for the Dual_EC_DRBG algorithm. It also adds extra options for CTR_DRBG and points out examples for implementing SP 800-90A generators. The full document (PDF) is available online.

11 of 64 comments (clear)

  1. Bad RNG will make your crypto predictable by sinij · · Score: 4, Interesting

    One of they few poorly understood concepts in software development is that improperly initialized (called seeding) DRBG will break your crypto.

    For Linux, and especially for headless systems, use /dev/random for seeding. You want it to block if not enough randomness available.

    1. Re:Bad RNG will make your crypto predictable by EmeraldBot · · Score: 4, Informative

      One of they few poorly understood concepts in software development is that improperly initialized (called seeding) DRBG will break your crypto. For Linux, and especially for headless systems, use /dev/random for seeding. You want it to block if not enough randomness available.

      Ehhhh, not always.

      --
      "Set a man a fire, he'll be warm for the rest of the night. Set a man afire, he'll be warm for the rest of his life."
    2. Re:Bad RNG will make your crypto predictable by Copid · · Score: 4, Informative

      The classic Schneier Applied Cryptography is a great read for anybody who wants a good starting point on the basic concepts and practical considerations. It's technical-ish but conceptual rather than mathematical and leans toward describing what the various crypto pieces do, why they exist, and what they're used for. To get a good intro to some math, try The Handbook of Applied Cryptography. If you have a little bit of number theory and are willing to do some exercises up front, the book is largely self-contained and very well written. It's free for personal use, but nobody I know regretted buying a hard copy.

      --
      An interesting anagram of "BANACH TARSKI" is "BANACH TARSKI BANACH TARSKI"
    3. Re:Bad RNG will make your crypto predictable by Bruce+Perens · · Score: 2

      The problem with FM static is that you could start receiving a station, and if you don't happen to realize you are now getting low-entropy data, that's a problem.

      There are many well-characterized forms of electronic noise: thermal noise, shot noise, avalanche noise, flicker noise, all of these are easy to produce with parts that cost a few dollars.

      --
      Bruce Perens.
    4. Re:Bad RNG will make your crypto predictable by Bruce+Perens · · Score: 3, Informative

      Most algorithms to do this use the time between keypresses, measured to very high precision so that the lower bits are chaotic. So it doesn't really matter what keys you hit, and it doesn't matter how rythmic your typing is.

      --
      Bruce Perens.
    5. Re:Bad RNG will make your crypto predictable by sinij · · Score: 2

      Also, when you are ready to take a leap from little knowledge, to a little bit more knowledge, read this paper: https://www.usenix.org/system/...

  2. Randomness can't come from a computer program by Bruce+Perens · · Score: 2, Interesting

    True randomness comes from quantum mechanical phenomena. Linux /dev/random is chaotic, yes, enough to seed a software "R"NG. But we can do better and devices to do so are cheap these days.

    I wouldn't trust anything but diode noise for randomness. If I had a need to transmit messages privately, I'd only trust a one-time pad.

    --
    Bruce Perens.
    1. Re:Randomness can't come from a computer program by Anonymous Coward · · Score: 2, Interesting

      OneRNG - An Open and Verifiable hardware random number generator -- relevant talk from Linux.conf.au 2015. It uses diode and (optionally) RF noise to generate a stream of high-quality entropy which couples directly to the kernel.

      They touch upon a concept that I believe many admins should be aware of: if you do mass-deployment of machines, this might very well include generation of e.g. SSH keys. The problem is if the keys are generated in such an early stage that the random pool has not been able to be readily distinguished from other machines within the deployment. This might open up the possibility for an attacker who has knowledge about a less privileged machine within such a deployment to attack machines which in a later state got more important roles.

      I have even seen situations where companies have created images with pre-generated cryptographic signatures, making all machines within a deployment hold the exact same secret information...

  3. A lot of effort to make sure bits aren't leaked by thogard · · Score: 2

    Why do so many systems still use the hashed root or admin password to seed tcp sequence numbers? Cisco, Sun, IBM and DEC all started doing it about the same time. So who suggested it to them and just how many groups know how what it takes to pull bits out of that hash?

  4. Why should we trust NIST encryption? by Slayer · · Score: 4, Insightful

    NIST recklessly broke our trust in them by allowing known to be broken encryption into their standard. Their new document may come with all the best intentions, but it will take years to rebuild that trust. Let's wait for what the crypto community has to say about these documents, before we blindly follow their latest standards.

  5. So the work begins again by bytesex · · Score: 2

    To find out where the NSA put the twist.

    --
    Religion is what happens when nature strikes and groupthink goes wrong.