Re: Good Program That Creates OTPs?
From: Matthew Skala (mskala_at_ansuz.sooke.bc.ca)
Date: 12/14/03
- Next message: Olivier: "Lost password memorised in Windows : how can I get it again"
- Previous message: Tom St Denis: "Re: IP Level Encryption"
- In reply to:(deleted message) Hillary Clinton: "Re: Good Program That Creates OTPs?"
- Next in thread: Hillary Clinton: "Re: Good Program That Creates OTPs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: 14 Dec 2003 11:00:55 -0500
In article <Y3VydHdpbGw=.dccc7416dbfc8deac3b241d0df897ea9@1071334809.cotse.net>,
Hillary Clinton <no-one@nowhere.com> wrote:
>Janet managed to get her finger out of my twat long enough to tell me that
>/dev/random is a PRNG- whatever that is. She said that's what Bill depended
/dev/random and /dev/urandom are the output ports of an entropy-pool true
random number generator similar in design to Counterpane's Yarrow.
/dev/random is the one that blocks in order to only output as much
randomness as is available; its output should be considered truly random.
/dev/urandom is more like a PRNG.
>Do a google seach and you'll find a mechanism to create your own random
>stream using a simple Geiger counter and a luminous dial from a watch or
I'd trust /dev/random, which has been examined by a lot of people, in
preference to something homemade. One could combine the two,
though, by building the Geiger-counter device and feeding its output into
the /dev/random entropy pool. The resulting construction would be at
least as secure as secure as /dev/urandom (assuming the Geiger-counter
device's output is completely insecure) and also at least as secure as
the Geiger-counter device's output (assuming the other inputs to
/dev/random are insecure). That's almost certainly secure enough.
>I'm not certain why you only need to randomize the numbers between 0 and
>9999, or whatever.
It was not me who wanted to do that.
>Here's another idea for you. Download both a 10 meg file and a one meg file.
>Hash the 1 meg file after adding a large phrase as salt. Then use the output
>from SHA-512 as the encryption key to crate the pad. You didn't start off
>with a secret file, but I bet it's pretty random and secret by now.
A file downloaded from the Net is not secret. The hash of a such a
file is not secret. You can't take public numbers and turn them into
something "random and secret" by applying a public, deterministic
function. The procedure your describe is not secure, and you know
it. Plonk.
-- Matthew Skala mskala@ansuz.sooke.bc.ca Embrace and defend. http://ansuz.sooke.bc.ca/
- Next message: Olivier: "Lost password memorised in Windows : how can I get it again"
- Previous message: Tom St Denis: "Re: IP Level Encryption"
- In reply to:(deleted message) Hillary Clinton: "Re: Good Program That Creates OTPs?"
- Next in thread: Hillary Clinton: "Re: Good Program That Creates OTPs?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
