1993-11-29 - Re: Cryptosplit 2.0

Header Data

From: cman@caffeine.io.com (Douglas Barnes)
To: m5@vail.tivoli.com (Mike McNally)
Message Hash: 8975e4fe1091eb7e1cde31dadf7f763e3e3bb44ac69783ff30ccc13ae0a6bd33
Message ID: <199311291602.KAA29523@caffeine.caffeine.io.com>
Reply To: <9311291426.AA20155@vail.tivoli.com>
UTC Datetime: 1993-11-29 16:17:12 UTC
Raw Date: Mon, 29 Nov 93 08:17:12 PST

Raw message

From: cman@caffeine.io.com (Douglas Barnes)
Date: Mon, 29 Nov 93 08:17:12 PST
To: m5@vail.tivoli.com (Mike McNally)
Subject: Re: Cryptosplit 2.0
In-Reply-To: <9311291426.AA20155@vail.tivoli.com>
Message-ID: <199311291602.KAA29523@caffeine.caffeine.io.com>
MIME-Version: 1.0
Content-Type: text/plain

> On UNIX systems, where keystroke timing can be problematic, couldn't a
> collection of various system metrics be used to provide a bunch of
> reasonable pseudo-random bits?  Things like:
> *	Disk space in /
> *	Network activity (in/out packet counts)
> *	load average
> *	swap space available
> *	time of day (duhh)
> Of course, one would want to ensure that no monitoring or logging
> software (like the stuff I work on :-) keeps coherent snapshots around
> anywhere... 

Jim McCoy and I have been talking about this; the underylying question
is "how many bits of entropy are in a ps"?

Time of day, for instance, is very low entropy. The results of 'ps'
vary wildly in their entropy depending on the system and whether your
opponent has access to it or could make reasonable guesses about parts
of it.

ps is better than load average, because it always has an affect on the
system when run; load average is an *average* and is rather slow to
change. Still, we have argued over many a cup of coffee whether there's 
128 bits of entropy in ps. I think the answer is yes, or real close, for 
a system with lot of users, but not if things are slow or you don't
have many users. Of course, the more rapidly the opponent takes snapshots,
the more she perturbs the ps...

My point in all this, is that if your opponent knows the components you're
doing an MD5 of to get your random bits, and these components are low
entropy with respect to that attacker (she is on the same system and 
can monitor roughly the same statistics that you can) then this opponent
could search through the space of reasonable pertubations in the 'ps'
listing between snapshots, could extrapolate between snapshots of the
load average, etc. And feed them to MD5 herself. If you are running a
stock single user configuration, it wouldn't even be necessary for the 
opponent to be on the same system.

If there is something or somethings on any Unix system with sufficient 
entropy that can be reliably polled and fed to MD5 I'd love to know it.
(This strikes me also as something that is not going to be real portable...
I have visions of #ifdefs dancing in my head)

Some people think this is a little paranoid on my part. Ok, maybe,
but I want a lockable /dev/rand.

----------------                                             /\ 
Douglas Barnes            cman@illuminati.io.com            /  \ 
Chief Wizard         (512) 447-8950 (d), 447-7866 (v)      / () \
Illuminati Online          metaverse.io.com 7777          /______\