Re: Where do the random numbers come from?

From: Richard E. Silverman (
Date: 02/10/05

Date: 09 Feb 2005 20:52:41 -0500

> Not sure if this is the best community to ask, but it is the closest I
> have found. I am programming an encrypted connection between a client and
> a server, and I have tried to mimic the way ssh does it (TLS) -

SSH and TLS are entirely separate protocols; they have nothing to do with
one another. More to the point, why are you trying to "mimic" an existing
well-tested secure protocol, instead of simply using one?

> except that I don't use a handshake, as the protocol is already set from
> the beginning. Briefly I randomly generate a key for AES, which I then
> encrypt with RSA and the servers public key. The rest of the data is being
> encrypted with the RSA key.

I presume you mean "AES key" here. This is a bad idea; your protocol is
very susceptible to a Trojan horse attack. A Trojan client can simply use
a weak key (fixed, reduced keyspace, etc.); everything will look normal,
but your traffic will be easily readable by an attacker.

> However, I feel there is a last bit of uncertainty - where do the random
> numbers for generating the AES key come from? The library I use
> (BouncyCastle) just initializes the random numbers generator with the
> system time.

If this is true, it is phenomenally bad, and I would not trust anything
else in this library either.

> So I wonder, how do common ssh implementations solve this? I have never
> noticed any of these appliations (including https) ask the user to do some
> random typing to generate noise?

On Unix they typically use the OS's /dev/random source, which in turn
usually draws on a variety of sources such as interrupt timing, network
activity, keyboard/mouse, etc.

> Any advice would be much appreciated!

Use an existing protocol instead of inventing your own, filled with all
the usual mistakes made by people who don't know anything about security
protocols. Unless this is a learning exercise of some kind. In which
case you'll find the answers to these sorts of questions in any
text on basic cryptography and protocol design.

  Richard Silverman