tmsr - Search: rng

1100+ entries in 0.59s

asciilifeform: BingoBoingo: http://qntra.net/2016/08/rng-whitening-bug-weakened-all-versions-of-gpg/#comment-67939 << answr.

BingoBoingo: Question http://qntra.net/2016/08/rng-whitening-bug-weakened-all-versions-of-gpg/#comment-67915

mircea_popescu: ;;later tell bingoboingo "Following the news of a serious RNG bug affecting all GPG versions a low energy shitgnome campaign of apologetics and "not that bad" followed." << can i get a "The fact that hundreds of GPG keys have been Phuctored in the past year has, of course, nothing to do with all this." added ?

asciilifeform: the rng thing was in all published vers.

mircea_popescu: asciilifeform same people who check the gpg rng unwhitened.

asciilifeform: (rng is also used in primality test, but it is switched into 'fast' gear and doesn't use the pool)

asciilifeform: incidentally, mr. lolcow just gave away, unwittingly, another gpg laugh - recall what else comes out of rng when you generate key, after the primes ?

asciilifeform: (i've been shaping a mental picture of what kind of rng idiocy could lead to such a thing, to no avail)

asciilifeform: 'what if the wire frays and rng is feeding 000000...'

asciilifeform: sorta like a special-purpose 'valgrind', for debugging rng.

asciilifeform: ;;later tell mircea_popescu https://threatpost.com/gpg-patches-18-year-old-libgcrypt-rng-bug/119984 << the hannobockization is ready!!!1111

asciilifeform: again point was to observe rng spill.

asciilifeform: PeterL: for the rng spill test

asciilifeform: contains a single rng invocation,

asciilifeform: the diddled rng being the first.

BingoBoingo: https://www.reddit.com/r/security/comments/4y8w7s/rng_whitening_bug_weakened_all_versions_of_gpg/

asciilifeform: ;;later tell mircea_popescu http://qntra.net/2016/08/rng-whitening-bug-weakened-all-versions-of-gpg/#comment-67543

BingoBoingo: https://www.reddit.com/r/netsec/comments/4y8xo1/rng_whitening_bug_weakens_gpg/ << try to browse to

mod6: <@deedbot> http://qntra.net/2016/08/rng-whitening-bug-weakened-all-versions-of-gpg/ << Qntra - RNG Whitening Bug Weakened All Versions of GPG << f.

deedbot: http://qntra.net/2016/08/rng-whitening-bug-weakened-all-versions-of-gpg/ << Qntra - RNG Whitening Bug Weakened All Versions of GPG

asciilifeform: during my audit of the rng routine, i barfed at the whitening and stopped reading.

asciilifeform: '...bug in the mixing functions of Libgcrypt's random number generator: An attacker who obtains 4640 bits from the RNG can trivially predict the next 160 bits of output. This bug exists since 1998 in all GnuPG and Libgcrypt versions.'

asciilifeform: ditto the null rng keys

asciilifeform: diddled pgptrons that shit out dupe primes are 'yesterday's' thing. i suspect that the state of the art involves rng that still gives each chumper a unique prime pair, but it can be calculated via some kleptographic clue.

asciilifeform: dump it to a printer, there is some lulz re obviously braindamaged rng etc.

asciilifeform: this, notice, is the same freebsd as was distributed with DEAD rng, for ~year

mircea_popescu: and hashes the result. this is the "rng". at end of day publishes day's salt concatenations for each played hand.

asciilifeform: mircea_popescu: a certain amount of rng load can be moved to server end (rekeying on that end, and ciphers new session key to pubkey of client, which was presumably generated at his leisure and is adequately entropic)

mircea_popescu: if we actually go with a 12-pass hashing method, this then will require > 8kb of entropy/second from the client, which isn't possibru without dedicated rng fountain.

mircea_popescu: in this case : here is the security loss from adding a 13th step to the 12 step scheme : 79. here is the security loss from not adding it, because rng starvation : 45.

shinohai: has anyone checked the rng for the new blockchain.info `wallet`

mircea_popescu: but anyway, it's ok that there isn't : there ALSO isn't a way to evaluate strength loss due to "rng" starvation.

a111: Logged on 2016-08-05 00:40 mircea_popescu: "Testing RSA keys after generation is a fool's quest. This is a nice thing to do to detect some poor implementations, not poor keys. Moreover, it detects only certain classes of poor keys (specifically, those with small factors). It does not detect poorly seeded RNG used in an otherwise correct RSA private key generation." << god i love reading year-old webwisdom/community consensusi.

mircea_popescu: "Testing RSA keys after generation is a fool's quest. This is a nice thing to do to detect some poor implementations, not poor keys. Moreover, it detects only certain classes of poor keys (specifically, those with small factors). It does not detect poorly seeded RNG used in an otherwise correct RSA private key generation." << god i love reading year-old webwisdom/community consensusi. ☟︎

asciilifeform: speaking of scraps of living matter in the pipe, http://qntra.net/2016/08/phuctor-finds-seven-keys-produced-with-null-rng-and-other-curiosities/#comment-66086

asciilifeform: ^ reactivated ~immediately after the null rng find published

asciilifeform: an rng firing blanks and leading rsa key gen to spit out the square of a prime immediately following a power of two, is simply one way to arrive at such.

asciilifeform: mircea_popescu: my best hypothesis is a) khadeer generated key with, e.g., 'jihadcrypt' b) winblowz gpg with the memcpy from rng nopped out by ???

mircea_popescu: asciilifeform incidentally, "owned by whitening" is not altogether a bad theory wrt the null-entropy keys. ie, "they replaced rng with null-outputting one, never noticed because whitening". this, of course, doesn't explain why gpg would end up with null-generated keys, but whatevs.

mircea_popescu: but better rng code could well live in the os.

asciilifeform: so rng gets stuck as an os api function

asciilifeform: it is a kind of forced/nudged idiotarianism, via os architecture, useland does not have the direct access to the hardware (incl. the scheduler) to force a proper sampling of whatever hardware rng

mircea_popescu: anywya, i don't dispute that "accidentally"-deliberately nobody put any effort into rng quality assurance ; key quality assurance ; etc.

asciilifeform: (e.g., aes of a stream of nulls, outscores (debiased) geiger, electric rng, whatever you like, on ~100% of the tests)

asciilifeform: to compactly rephrase, entropy testing is only useful when you ~know the design of the rng~

asciilifeform: it is useless to test rng that is, to steal hanbot's phrasing, 'an unknown mixture of fact and hogwash'

asciilifeform: http://btcbase.org/log/2016-08-03#1513709 << the obvious reason: at this point, even the lamest system rng (urandom, etc) are 'whitened' and trivially pass the tests, while having anywhere from 0 to whatever actual hardware entropic content ☝︎

nosuchlabswww: Phuctor Finds Seven Keys Produced With Null RNG, And Other Curiosities

mircea_popescu: they support anything and everything but sound cryptography, proper rng etc.

asciilifeform: http://cluborlov.blogspot.com/2016/08/furious-sheep.html << orlol suggests vote-by-rng.

BingoBoingo: lulz http://qntra.net/2016/08/phuctor-finds-seven-keys-produced-with-null-rng-and-other-curiosities/#comment-65904

deedbot: [Qntra] Phuctor Finds Seven Keys Produced With Null RNG, And Other Curiosities - http://qntra.net/2016/08/phuctor-finds-seven-keys-produced-with-null-rng-and-other-curiosities/

mircea_popescu: asciilifeform http://qntra.net/2016/08/phuctor-finds-seven-keys-produced-with-null-rng-and-other-curiosities/ << now do diff to your thing for next time.

asciilifeform: ;;later tell mircea_popescu p == q of http://phuctor.nosuchlabs.com/gpgkey/DDDE667282B355D21D9F0E3505442E332AB082F487BFFC440034D11D636FD6A7 , and, (via jurov's eagle eye) - == NextPrime[2^1023], which corresponds to keygen on machine with a null-outputting rng!

mircea_popescu: anyway, it's not a matter of how to make green a prime number. it's more of a matter of "how to make cryptographic rng work from a seed".

asciilifeform: there are other problems, but the logz seem to be missing the main thread, so i will summarize a few: it is physically impossible to fit a serious rng in the thing, regardless of how constructed; the pc knows that a dedicated crypto hardware item is connected, and if attacker controls it he can sign/decrypt whatever the hell he wants with your card; and a bunch more.

asciilifeform: mircea_popescu: i'd be curious to see where all the rng-less home routers etc. went

a111: Logged on 2016-06-27 17:15 asciilifeform: the historic ~0.1% popping rate of ssh keys has nothing to do with flips, and everything to do with embedded gadgets with no rng

Framedragger: http://btcbase.org/log/2016-06-27#1491238 << i too expected gadgets with shitty rng. any source for that 0.1% figure? ☝︎

asciilifeform: the historic ~0.1% popping rate of ssh keys has nothing to do with flips, and everything to do with embedded gadgets with no rng ☟︎

asciilifeform: and can call rng.

a111: Logged on 2016-06-16 15:41 asciilifeform: this incidentally is why phuctor had been a depressing thing for me. the thing i set out to find, i never found (evidence of diddled rng on pgp users' boxes.)

asciilifeform: it had NO FUCKING RNG AT ALL FOR YEARS and NO ONE NOTICED.

asciilifeform: this incidentally is why phuctor had been a depressing thing for me. the thing i set out to find, i never found (evidence of diddled rng on pgp users' boxes.) ☟︎

asciilifeform: (from, elementarily, machines with ~no~ rng)

mircea_popescu: in general, a rng capable of delivering good quality data by the tb is not free.

asciilifeform: if not supplied by rng - trivially works.

asciilifeform: forget even rng.

mircea_popescu: provided the rng is that good, which probably it is not etc.

asciilifeform: fill time, in hours, using 100MB/s rng.

a111: Logged on 2016-02-06 20:47 mircea_popescu: your bias-less rng shits out n/2 ones. they go against a message containing 3/4n ones. they will flip n/2 items in the message, 3/4 of which being 1s and 1/4 being 0s. you thus end up with 3/8 old ones + 1/8 ex-zeroes for a grand total of exactly 1/2 whoa.

ben_vulpes: in other rng news http://i.imgur.com/TxFLW5F.jpg

asciilifeform: http://btcbase.org/log/2016-05-20#1469373 << this was hyped worldwide, but for some reason when it turned out that ~3 years of freebsd, ending some time last year, had NO ENTROPY in rng, it was ~nowhere. ☝︎

asciilifeform: (even a rubbish rng can masquerade as a usable one until you interate through the epochal times)

asciilifeform realized that the perfect rng is in fact... a spinthariscope.

a111: Logged on 2016-05-06 04:00 mircea_popescu: search me how the fuck they managed to get rng in js, but w/e.

asciilifeform: http://btcbase.org/log/2016-05-06#1463821 << realize that 'poor rng' does not necessarily mean 'phuctorable.' if the keyspace is reduced from, say, 10^100 to 10^10, it does not follow that given the number of extant keys there will be duplicate factors. ☝︎

mircea_popescu: search me how the fuck they managed to get rng in js, but w/e. ☟︎

asciilifeform: mircea_popescu: briefly back to the fiber, from what i saw last night, one would need about 20cm for ideal rng.

a111: Logged on 2016-05-01 14:50 mircea_popescu: asciilifeform> (does everybody understand why scintillator ~fiber~ is neat, while the commonly-available scintillating plastic blocks are nearly useless for rng ?) << essentially, quantum antenna.

mircea_popescu: asciilifeform> (does everybody understand why scintillator ~fiber~ is neat, while the commonly-available scintillating plastic blocks are nearly useless for rng ?) << essentially, quantum antenna. ☟︎

asciilifeform: (does everybody understand why scintillator ~fiber~ is neat, while the commonly-available scintillating plastic blocks are nearly useless for rng ?)

asciilifeform: 'some sort of noise' is very low bar, actual battlefield rng needs a number of other properties (chiefly, difficulty for the enemy in influencing or predicting the output)

asciilifeform: pretty much solves the problems from which i refused to use geiger tube in my rng

phf: rng posted for comedic value, thing reads like clever parody, while it of course is not

asciilifeform: 'The Dual_EC_DRBG RNG was later reported to probably contain a backdoor inserted by the National Security Agency, while the other three random number generators are still considered secure' << are we at the circus ??

mircea_popescu: [which ties neatly into rng discussion yest and structured-behaviour-and-the-wot perennially]

mircea_popescu: sure, an argument could be brought that "hey, even blocking /random is faster than dice". maybe. then consider machines that do not have a rng at all, such as pogo. maybe they want pws too. etc.

phf: a dice rng is "defective design". it's all over the place, low tech solution right in the middle of high tech stack. can't make one at home, since bias. wouldn't really make key by hand either. any optimizations turn to logical "why not flip electrons instead". i've noticed the tendency though, friend told me that he's generating work passwords with dicewear

asciilifeform: anyway imho any rng which has measurable wear during normal operating life, is defective design.

asciilifeform: enemy can only learn something from a worn rng if the owner himself had no way to meaningfully measure wear.

asciilifeform: it is only a problem in ridiculously narrow trickle sort of rng.

asciilifeform: other interesting question, imho, re any rng, is - how much does enemy learn if he captures it

mircea_popescu: ALWAYS doing anything is a rng leak.

a111: Logged on 2016-04-13 09:03 punkman: https://eprint.iacr.org/2016/367 "we demonstrate various weaknesses of the random number generator (RNG) in the OpenSSL cryptographic library"

phf: https://eprint.iacr.org/2016/367 analysis of openssl rng, conclusion it's bad

mod6: <+asciilifeform> but it is NOT a substitute for modern electric rng << hey, i guess to an extent, i totally agree. except, we don't have a modern electirc rng.

asciilifeform: but it is NOT a substitute for modern electric rng

mike_c: better for RNG with dicelist

asciilifeform: Run Moar Whitened RNG!!