This preview shows page 1. Sign up to view the full content.
Unformatted text preview: andpool,sizeof(Randpool)); MD5Update(&md5,(unsigned char *)&Randcnt,sizeof(Randcnt)); MD5Final(tmp,&md5); Randcnt++; /* Increment counter */ /* Copy 16 bytes or requested amount, whichever is less, * to the user’s buffer */ n = (buflen < 16) ? buflen : 16; memcpy(buf,tmp,n); buf += n; buflen -= n; } } The hash function is crucial here for several reasons. First, it provides an easy way to generate an arbitrary amount of pseudo-random data without having to call churnrand() each time. In effect, the system degrades gracefully from perfect to practical randomness when the demand exceeds the supply. In this case it becomes theoretically possible to use the result from one genrand() call to determine a previous or subsequent result. But this requires inverting MD5, which is computationally infeasible. This is important since the routine doesn’t know what each caller will do with the random data it returns. One call might generate a random number for a protocol that is sent in the clear, perhaps in response to a direct request by an attacker. The very next call might generate a secret key for an unrelated session that the attacker wishes to penetrate. Obviously, it is very important that an attacker not be able to deduce the secret key from the nonce. One problem remains. There must be sufficient randomness in the Randpool array before the first call to genrand(). If the system has been running for a while with a local user typing on the keyboard, no problem. But what about a standalone system that reboots automatically without seeing any keyboard or mouse input? This is a tough one. A partial solution would require the operator to type for a while after the very first reboot, and to create a seed file on disk before shutting down to carry the randomness in Randseed across reboots. But do not save the Randseed array directly. An attacker who steals this file could determine all of the results from genrand() after the last call to churnrand() prior to the file...
View Full Document
This note was uploaded on 10/18/2010 for the course MATH CS 301 taught by Professor Aliulger during the Fall '10 term at Koç University.
- Fall '10