Re: Where do the random numbers come from?

From: Richard E. Silverman (
Date: 02/10/05

Date: 09 Feb 2005 20:52:41 -0500

> Not sure if this is the best community to ask, but it is the closest I
> have found. I am programming an encrypted connection between a client and
> a server, and I have tried to mimic the way ssh does it (TLS) -

SSH and TLS are entirely separate protocols; they have nothing to do with
one another. More to the point, why are you trying to "mimic" an existing
well-tested secure protocol, instead of simply using one?

> except that I don't use a handshake, as the protocol is already set from
> the beginning. Briefly I randomly generate a key for AES, which I then
> encrypt with RSA and the servers public key. The rest of the data is being
> encrypted with the RSA key.

I presume you mean "AES key" here. This is a bad idea; your protocol is
very susceptible to a Trojan horse attack. A Trojan client can simply use
a weak key (fixed, reduced keyspace, etc.); everything will look normal,
but your traffic will be easily readable by an attacker.

> However, I feel there is a last bit of uncertainty - where do the random
> numbers for generating the AES key come from? The library I use
> (BouncyCastle) just initializes the random numbers generator with the
> system time.

If this is true, it is phenomenally bad, and I would not trust anything
else in this library either.

> So I wonder, how do common ssh implementations solve this? I have never
> noticed any of these appliations (including https) ask the user to do some
> random typing to generate noise?

On Unix they typically use the OS's /dev/random source, which in turn
usually draws on a variety of sources such as interrupt timing, network
activity, keyboard/mouse, etc.

> Any advice would be much appreciated!

Use an existing protocol instead of inventing your own, filled with all
the usual mistakes made by people who don't know anything about security
protocols. Unless this is a learning exercise of some kind. In which
case you'll find the answers to these sorts of questions in any
text on basic cryptography and protocol design.

  Richard Silverman

Relevant Pages

  • Re: Newbie question
    ... You are trying to create the equivalent of a federated identity management ... using a custom protocol of your own design. ... it does place demands on your partners to implement ADFS on their ... Will my corporate partners be able to encrypt their data using the RSA ...
  • Re: Where do the random numbers come from?
    ... just using an established protocol is that resources on my client are ... >>encrypt with RSA and the servers public key. ... >>just initializes the random numbers generator with the ...
  • Re: Authentication
    ... A uses the password to encrypt A_public and sends this to B. ... >>What about the following protocol that differs from EKE? ... > look like a valid public key. ... > redundancy to let this attack work. ...
  • Re: Is a cryptographic monoculture hurting us all?
    ... encrypt at most 2^32 blocks (that's what ``regularly'' means, ... This protocol is _exactly_ the same as adding F_kto the nth block, ... the two-level structure is _not_ magically immune to attack. ...
  • Re: Securing data
    ... Encrypt the data in the tablewith an AES or similar cipher. ... The AES key itself stays with you at all times. ... Sign the AES key with your private key ... The client now has their unique private key as well as your public key ...