Cryptography Reference
In-Depth Information
12.2.1 The Generation of Start Values
For the derivation of start values for cryptographic random number generators,
so-called entropy sources are required, which while observable, are neither
predictable nor able to be influenced. Every sequence of pseudorandom numbers
that proceeds deterministically is at most as secure as its start value. An attacker
who knows or can guess the start value of a pseudorandom sequence thereby
knows the entire random sequence or the keys or passwords derived from it.
The notion of entropy is borrowed from physics, where it is used as a measure
of disorder in closed systems. The idea that good start values are achieved from
the observation of the greatest possible disorder seems to be more intuitive and
compelling than to speak of the “randomness of start values.”
For our purposes, we will use primarily artificial sources of entropy, in
particular, certain system statistics such as the number of clock ticks for certain
processes, measures of external events such as mouse movements or the times
between keyboard events or mouse clicks by users.
Such parameters are best combined with one another in a mixture, such as
through the use of hash functions.
Functions for obtaining entropy are also offered by various operating systems,
for example, by Linux and by the Win32 CryptoAPI under Windows. The Win32
CryptoAPI offers the function
CryptGenRandom()
, which takes entropy from a
variety of sources available to the operating system. Here it is necessary to bind
the link library ADVAPI32.LIB in order to use the Win32 DLL ADVAPI32.DLL
(see [HoLe]).
Linux and FreeBSD offer entropy via the virtual devices
/dev/random
and
/dev/urandom
. The associated driver manages a 512-byte
entropy pool
, which is
filled with the results of a variety of continuously monitored unpredictable events.
The most productive source of these random events is the keyboard: The last digit
of the microsecond-precise time measurement between two keyboard events
can be neither predicted nor reproduced. Further sources are times associated
with mouse movements, hardware interrupts, and block devices from the kernel.
When the entropy pool is queried, 64-byte blocks from the pool are processed
sequentially with the hash function SHA-1, and the result of this operation is
played back into the pool. The hash function is then applied again to the first
64 bytes of the pool, and the result is finally returned to the calling function as a
random value. The process is repeated as often as necessary until the required
number of bytes is returned, and read access is terminated. The device file
/dev/random
always outputs only as many bits as corresponds to the available
entropy in the pool. If the requests exceed this amount, then the virtual device is
blocked, and it returns additional random bytes only after a sufficient number of
events have occurred that can be observed for the production of entropy.
