Cryptography Reference
In-Depth Information
•
System time.
•
Interrupt vectors or status information of the system: under UNIX V.4, for
example, the output of
ps-elf
. Even more clever is the method by Wietse
Venema, which he uses in his famous SATAN program (to check the security
of UNIX systems); here modified for Linux:
#!/bin/bash
(ps axl & ps -elf & netstat -na & netstat -s & ls -lLRt
/dev & w) 2>&1
|\
md5sum
|
{ read word rest; echo $word; }
All six commands run concurrently in the background; the sequence of their
outputs is not predictable. Each command describes a current system state.
Error outputs (due to undefined switches) don't play a role.
•
Values of non-initialized variables (this is an insecure and rather weak ran-
domness, but it can be utilized: the values are sometimes hard to predict under
UNIX).
•
User keyboard entries. The time intervals between keystrokes are measured
exactly as permitted by the computer. The keys pressed can also be included
in the evaluation. For several dozen keys pressed, the value created will meet
a high demand.
The method is well suited for one-time initializations. It is used, for example, in
the PGP software package to create an initial value for searching prime numbers.
Conversely, it would be cumbersome to have to chaotically clatter on the keyboard
upon each program start. PGP stores values created in encrypted form.
•
Air turbulences in hard disk boxes are believed to also have been utilized for
random generation.
•
External random sources such as speech input, Geiger counters, seismometers,
and many more can also be used — but there is a drawback since additional
hardware is required.
•
Arbitrary mouse movements are suitable, too; but not every computer user
works with the mouse.
Figure 5.7:
Some pseudo-random events a computer could poll.
