From owner-freebsd-current  Mon Jul 17 21:24:56 2000
Delivered-To: freebsd-current@freebsd.org
Received: from cypherpunks.ai (cypherpunks.ai [209.88.68.47])
	by hub.freebsd.org (Postfix) with ESMTP id D08C737B7C0
	for <current@FreeBSD.ORG>; Mon, 17 Jul 2000 21:24:53 -0700 (PDT)
	(envelope-from jeroen@vangelderen.org)
Received: from vangelderen.org (grolsch.ai [209.88.68.214])
	by cypherpunks.ai (Postfix) with ESMTP
	id CF4C349; Tue, 18 Jul 2000 00:24:51 -0400 (AST)
Message-ID: <3973DC13.E93F573A@vangelderen.org>
Date: Tue, 18 Jul 2000 00:24:51 -0400
From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org>
X-Mailer: Mozilla 4.73 [en] (X11; I; Linux 2.2.12 i386)
X-Accept-Language: en
MIME-Version: 1.0
To: David Schwartz <davids@webmaster.com>
Cc: Poul-Henning Kamp <phk@critter.freebsd.dk>, current@FreeBSD.ORG
Subject: Re: randomdev entropy gathering is really weak
References: <NCBBLIEPOCNJOAEKBEAKAEGBJMAA.davids@webmaster.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

David Schwartz wrote:
> 
> > > Predicting the clock's offset from reality and the two way path to
> > > the server of choice is impossible, plus if people enable authentication
> > > later on the packets will be choke full of high-quality entropy.
> >
> > Please quantify 'impossible'.
> 
>         Impossible as in cannot be done. The offset between, for example, the
> processor clock and the NIC clock is unpredictable.

The EXACT offset is unpredictable. Unfortunately that's not 
what matters because an attacker can still guess.

What does matter is the set of likely/possible offsets. That 
set may be small or may be large or may be biased. Can you 
tell me how large it *typically* is on your computer? 

My clock usually is within a few seconds from my NTP server. 
I guess -assuming microsecond resolution- that allows for a 
couple of million possibilities but no more. I can definately
extract one or two bits of entropy from this, but can I do
ten, twenty or even 30? [1]

Can you generate a 1024-bit RSA key after processing 10 NTP
packets? I don't think so. How many *do* you need?

You need to quantify all this to make a good entropy estimate.
Just implementing this functionality because 'predicting the
clock's offset [...] is impossible' is pretty pointless.

Cheers,
Jeroen

[1] And then, what's the effect of an attacker sniffing your
    LAN? What information would he have to make his guess more
    accurate?
-- 
Jeroen C. van Gelderen          o      _     _         _
jeroen@vangelderen.org  _o     /\_   _ \\o  (_)\__/o  (_)
                      _< \_   _>(_) (_)/<_    \_| \   _|/' \/
                     (_)>(_) (_)        (_)   (_)    (_)'  _\o_


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message