Re: /dev/random is probably not
From: Thomas (tom_at_electric-sheep.org)
Date: 07/06/05
- Previous message: Thomas: "Re: /dev/random is probably not"
- In reply to: Robert Foxworth: "Re: /dev/random is probably not"
- Next in thread: David Schwartz: "RE: /dev/random is probably not"
- Reply: David Schwartz: "RE: /dev/random is probably not"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com Date: Wed, 6 Jul 2005 07:51:44 +0200
> At the last place at which I worked, a few years ago, a "random
> number" was generated, and used in a FIPS 140-1 compliant
> encryption device, by capturing 128 ethernet frames in sequence
> from the local in-house network, gathering the LSB from the
> arrival time of each frame, and using those values to generate
> an encryption key. This was part of the "activation sequence"
> which had to be done, once, on each such device.
>
> Any studies out there on the randomness of such a number?
> At first glance a non-deterministic network would seem to be
> able to generate a useful number for the key.
It doesn't look like a good source of entropy. At least it wouldn't
withstand an active attack during this activation phase.
> - Bob Foxworth, GSEC, CISSP
Thomas Biege
-- Tom <tom@electric-sheep.org> fingerprint = F055 43E5 1F3C 4F4F 9182 CD59 DBC6 111A 8516 8DBF
- Previous message: Thomas: "Re: /dev/random is probably not"
- In reply to: Robert Foxworth: "Re: /dev/random is probably not"
- Next in thread: David Schwartz: "RE: /dev/random is probably not"
- Reply: David Schwartz: "RE: /dev/random is probably not"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
