| View previous topic :: View next topic |
| Author |
Message |
artificio
Apprentice
Joined: 15 Sep 2004
Posts: 183
|
 Posted: Mon Jan 16, 2006 6:56 am Post subject: How random is random (security Q)? |
 |
|
I'd like to generate a random knock sequence and I was wondering about how random /dev/random was. I could use,
| Code: | | cat /dev/random | od |
and pull the nth number of each line, if even, tcp, odd/space udp, then pull four more digits for the port number (with some restrictions) to generate a random knock sequence. However, I read that programs like ssh use their own random generator since /dev/random isn't that random. However, I was also thinking, someone would need a signifcant number of knock sequences to get enough info to generate the next knock sequence. Especially if I have the knock generation script pick numbers to use at random intervals. So, I suppose my question is, how much data would someone need to figure out the sequence that's generating random knock sequences at random intervals from /dev/random?
Would one hundred 10 port knock sequences be enough, or is it larger or smaller than that? |
|
| Back to top |
|
 |
PRC
Apprentice
Joined: 15 Aug 2005
Posts: 191
|
| Posted: Mon Jan 16, 2006 7:11 am Post subject: |
|
|
Hey, when your really bored, just stare at:
| Code: | | cat /dev/urandom | od |
Edit: Oh, you had a question, minded this is OTW. Best to shoot for another Forum, and mods will kick it into OTW, if need be.
_________________
Mayhem G4 (Asus z71v) |
|
| Back to top |
|
|
artificio
Apprentice
Joined: 15 Sep 2004
Posts: 183
|
| Posted: Mon Jan 16, 2006 7:20 am Post subject: |
|
|
I figured they would move it to otw, since it isn't Gentoo specific. But then again, it might fit in Portage and Programming...
I hope a nice mod would stick it there if applicable!  |
|
| Back to top |
|
|
PRC
Apprentice
Joined: 15 Aug 2005
Posts: 191
|
| Posted: Mon Jan 16, 2006 7:21 am Post subject: |
|
|
Network & security?
_________________
Mayhem G4 (Asus z71v) |
|
| Back to top |
|
|
artificio
Apprentice
Joined: 15 Sep 2004
Posts: 183
|
| Posted: Mon Jan 16, 2006 7:27 am Post subject: |
|
|
Well, it could be... I figure Portage and Programing has a wider range of stuff, but Network and Security seems more apt. I was thinking about reposting the question, but someone'll move it where it can get answered, hopefully.  |
|
| Back to top |
|
|
shickapooka800
Guru
Joined: 05 Dec 2004
Posts: 304
Location: no
|
| Posted: Mon Jan 16, 2006 7:48 am Post subject: Re: How random is random (security Q)? |
|
|
| artificio wrote: | I'd like to generate a random knock sequence and I was wondering about how random /dev/random was. I could use,
| Code: | | cat /dev/random | od |
and pull the nth number of each line, if even, tcp, odd/space udp, then pull four more digits for the port number (with some restrictions) to generate a random knock sequence. However, I read that programs like ssh use their own random generator since /dev/random isn't that random. However, I was also thinking, someone would need a signifcant number of knock sequences to get enough info to generate the next knock sequence. Especially if I have the knock generation script pick numbers to use at random intervals. So, I suppose my question is, how much data would someone need to figure out the sequence that's generating random knock sequences at random intervals from /dev/random?
Would one hundred 10 port knock sequences be enough, or is it larger or smaller than that? |
i have little experience with random number generators (i am told MATLAB's random number generator is really good), so i will give you my own little take on it.
if your after security, you could go with a chaotic function, for instance,
take the iterative equation: x(n+1) = A*x(n)*(1 - x(n)^2)
if you take an initial value of x(1) = .700000000, and compare it with x(1) = .700000001
you will see that around iteration n~=40, the two functions differ by about the value of A (the attractor) despite being 1 part in 10^8 away from one another.
so in order to guess, with any precision, the future values of the seemingly random numbersused in your application, one would have to know the initial value to within 8 decimal places, which is relatively impossible without an incredible amount of time, patience, and sheer intuition.
that is how I would govern a process that i wanted to be secure. I would have the iterative x values be my "random" numbers.
but then again i now little on the subject, i am just really tired and bored, so don't listen to me :) |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6069
Location: Removed by Neddy
|
| Posted: Mon Jan 16, 2006 9:10 am Post subject: |
|
|
Computers cannot generate RANDOM numbers.
IF you know the seed, the mech and the number of steps a psudo-random number generators has done, you can calculate that random number
Something that can be calculated can never be called random
_________________
#define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
| Back to top |
|
|
PRC
Apprentice
Joined: 15 Aug 2005
Posts: 191
|
| Posted: Mon Jan 16, 2006 9:16 am Post subject: |
|
|
random is just propability of something happen. The smaller the reoccurance, the more "random" we take it as. The more digits you add or use in your calculations then the more random and operation seems.
_________________
Mayhem G4 (Asus z71v) |
|
| Back to top |
|
|
coriolan
Apprentice
Joined: 21 Apr 2005
Posts: 273
|
|
| Back to top |
|
|
_droop_
l33t
Joined: 30 May 2004
Posts: 957
|
| Posted: Mon Jan 16, 2006 9:54 am Post subject: |
|
|
| Naib wrote: | Computers cannot generate RANDOM numbers.
IF you know the seed, the mech and the number of steps a psudo-random number generators has done, you can calculate that random number
Something that can be calculated can never be called random |
Hi,
/dev/random and /dev/unrandom uses enthropy pool to generate numbers. This pool is linked to what your pc does (data on io buses). In fact, it is not possible (at least very difficult) to create the same entropy pool on an other computer to build the same number sequences.
See man urandom for more details. |
|
| Back to top |
|
|
Maedhros
Bodhisattva
Joined: 14 Apr 2004
Posts: 5511
Location: Durham, UK
|
| Posted: Mon Jan 16, 2006 12:43 pm Post subject: |
|
|
| artificio wrote: | | but someone'll move it where it can get answered, hopefully. |
Report it, and then you won't have to hope.
Moved from Off the Wall to Networking & Security.
_________________
No-one's more important than the earthworm. |
|
| Back to top |
|
|
Naib
Watchman
Joined: 21 May 2004
Posts: 6069
Location: Removed by Neddy
|
| Posted: Mon Jan 16, 2006 12:50 pm Post subject: |
|
|
| _droop_ wrote: | | Naib wrote: | Computers cannot generate RANDOM numbers.
IF you know the seed, the mech and the number of steps a psudo-random number generators has done, you can calculate that random number
Something that can be calculated can never be called random |
Hi,
/dev/random and /dev/unrandom uses enthropy pool to generate numbers. This pool is linked to what your pc does (data on io buses). In fact, it is not possible (at least very difficult) to create the same entropy pool on an other computer to build the same number sequences.
See man urandom for more details. |
All that is, is suscessive re-seeding to to try to make something apear more random.
ANY algorithm (or hardware XOR tapped network) is exactly that, an algorithm. Once that algorithm is seeded and it let run it will eventually start to repeat the same sequence, thus they are not random
All computers and hardware do to make a pseudo-random number become close to a true-random number is take repetative seeds from the only true random sources they have
1) mouse input from a user
2) background noise on a soundcard input
3) temperature monitor of the CPU (if going downto 10mC
THUS all that /dev/random and /dev/urandom are are reseeded algorithms, ie not true random number generators
_________________
#define HelloWorld int
#define Int main()
#define Return printf
#define Print return
#include <stdio>
HelloWorld Int {
Return("Hello, world!\n");
Print 0; |
|
| Back to top |
|
|
artificio
Apprentice
Joined: 15 Sep 2004
Posts: 183
|
| Posted: Tue Jan 17, 2006 6:28 am Post subject: |
|
|
Alright, for my needs. I'll define random as not easy to model by a third party watching my network traffic. And in that case, it seems like /dev/random is sufficiently random. Although cat'ing mouse movement, or backgroud noise would be neat...
Thanks everyone!  |
|
| Back to top |
|
|
PaulBredbury
Watchman
Joined: 14 Jul 2005
Posts: 7310
|
| Posted: Tue Jan 17, 2006 7:55 am Post subject: |
|
|
| G4User wrote: | Hey, when your really bored, just stare at:
| Code: | | cat /dev/urandom | od |
|
Obligatory post: "I don't see the numbers anymore. I just see blonde, brunette, redhead..." |
|
| Back to top |
|
|
|
Networking & Security
