net2o: Hex Artifact Content

Artifact 8e98cbe1dd66b8832abc905b9c787eaf0dc4b313:

File wiki/rng.md — part of check-in [d9332e3ec1] at 2019-03-18 22:54:08 on branch trunk — Improvement in social network display (user: bernd size: 2633)
0000: 23 20 52 61 6e 64 6f 6d 20 4e 75 6d 62 65 72 20  # Random Number 
0010: 53 65 61 74 20 42 65 6c 74 73 0a 0a 52 61 6e 64  Seat Belts..Rand
0020: 6f 6d 20 6e 75 6d 62 65 72 20 67 65 6e 65 72 61  om number genera
0030: 74 6f 72 73 20 61 72 65 20 61 20 6b 6e 6f 77 6e  tors are a known
0040: 20 61 74 74 61 63 6b 20 76 65 63 74 6f 72 20 74   attack vector t
0050: 6f 20 77 65 61 6b 65 6e 20 63 72 79 70 74 6f 67  o weaken cryptog
0060: 72 61 70 68 79 2e 20 20 49 0a 75 73 65 20 61 6c  raphy.  I.use al
0070: 6c 20 74 65 63 68 6e 69 71 75 65 73 20 49 20 6b  l techniques I k
0080: 6e 6f 77 20 74 6f 20 6d 61 6b 65 20 73 75 72 65  now to make sure
0090: 20 6e 65 74 32 6f 20 75 73 65 73 20 61 20 63 72   net2o uses a cr
00a0: 79 70 74 6f 67 72 61 70 68 69 63 61 6c 6c 79 20  yptographically 
00b0: 73 74 72 6f 6e 67 0a 72 61 6e 64 6f 6d 20 6e 75  strong.random nu
00c0: 6d 62 65 72 20 28 43 53 50 52 4e 47 29 2e 0a 0a  mber (CSPRNG)...
00d0: 23 23 20 57 68 61 74 20 64 6f 20 79 6f 75 20 6e  ## What do you n
00e0: 65 65 64 20 66 6f 72 20 61 20 43 53 50 52 4e 47  eed for a CSPRNG
00f0: 3f 0a 0a 2a 20 41 6e 20 65 6e 74 72 6f 70 79 20  ?..* An entropy 
0100: 73 6f 75 72 63 65 20 e2 80 94 20 49 20 75 73 65  source â€” I use
0110: 20 74 68 65 20 4f 53 20 66 6f 72 20 74 68 61 74   the OS for that
0120: 2c 20 60 2f 64 65 76 2f 75 72 61 6e 64 6f 6d 60  , `/dev/urandom`
0130: 20 69 73 20 6b 6e 6f 77 6e 20 67 6f 6f 64 2e 0a   is known good..
0140: 2a 20 41 20 73 65 63 75 72 65 2c 20 6e 6f 6e 2d  * A secure, non-
0150: 72 65 76 65 72 73 69 62 6c 65 20 65 78 70 61 6e  reversible expan
0160: 73 69 6f 6e 20 61 6c 67 6f 72 69 74 68 6d 20 e2  sion algorithm â
0170: 80 94 20 49 20 75 73 65 20 6b 65 63 63 61 6b 2c  €” I use keccak,
0180: 20 77 68 69 63 68 0a 20 20 65 6e 63 72 79 70 74   which.  encrypt
0190: 73 20 61 67 61 69 6e 20 61 6e 64 20 61 67 61 69  s again and agai
01a0: 6e 20 74 68 65 20 73 61 6d 65 20 6f 75 74 70 75  n the same outpu
01b0: 74 20 62 75 66 66 65 72 20 75 73 69 6e 67 20 61  t buffer using a
01c0: 6e 20 65 76 65 72 2d 63 68 61 6e 67 69 6e 67 0a  n ever-changing.
01d0: 20 20 73 65 63 72 65 74 20 73 74 61 74 65 20 28    secret state (
01e0: 6b 65 79 20 65 72 61 73 75 72 65 29 2e 20 20 41  key erasure).  A
01f0: 6e 20 61 74 74 61 63 6b 65 72 20 73 68 6f 75 6c  n attacker shoul
0200: 64 20 6e 6f 74 20 62 65 20 61 62 6c 65 20 74 6f  d not be able to
0210: 20 67 75 65 73 73 20 70 61 73 74 0a 20 20 72 61   guess past.  ra
0220: 6e 64 6f 6d 20 6e 75 6d 62 65 72 73 20 66 72 6f  ndom numbers fro
0230: 6d 20 74 68 65 20 63 75 72 72 65 6e 74 20 73 74  m the current st
0240: 61 74 65 2c 20 61 6e 64 20 73 68 6f 75 6c 64 20  ate, and should 
0250: 68 61 76 65 20 64 69 66 66 69 63 75 6c 74 69 65  have difficultie
0260: 73 20 74 6f 0a 20 20 67 75 65 73 73 20 66 75 74  s to.  guess fut
0270: 75 72 65 20 6f 6e 65 73 20 61 66 74 65 72 20 72  ure ones after r
0280: 65 2d 69 6e 6a 65 63 74 69 6f 6e 20 6f 66 20 65  e-injection of e
0290: 6e 74 72 6f 70 79 2e 0a 0a 54 68 65 73 65 20 74  ntropy...These t
02a0: 77 6f 20 74 68 69 6e 67 73 20 61 72 65 20 67 6f  wo things are go
02b0: 6f 64 20 65 6e 6f 75 67 68 2c 20 62 75 74 20 68  od enough, but h
02c0: 65 72 65 27 73 20 61 62 6f 75 74 20 74 68 65 20  ere's about the 
02d0: 73 65 61 74 20 62 65 6c 74 73 2c 20 74 68 65 0a  seat belts, the.
02e0: 61 64 64 69 74 69 6f 6e 61 6c 20 6c 65 76 65 6c  additional level
02f0: 20 6f 66 20 73 65 63 75 72 69 74 79 20 74 6f 20   of security to 
0300: 6d 61 6b 65 20 73 75 72 65 20 65 76 65 6e 20 69  make sure even i
0310: 66 20 6f 6e 65 20 6f 66 20 74 68 65 73 65 20 74  f one of these t
0320: 77 6f 20 66 61 69 6c 73 0a 73 75 64 64 65 6e 6c  wo fails.suddenl
0330: 79 2c 20 69 74 27 73 20 6e 6f 74 20 61 20 64 65  y, it's not a de
0340: 62 61 63 6c 65 2e 0a 0a 23 23 20 44 65 74 65 63  bacle...## Detec
0350: 74 69 6f 6e 20 6f 66 20 6c 6f 77 2d 65 6e 74 72  tion of low-entr
0360: 6f 70 79 20 50 52 4e 47 0a 0a 49 20 73 74 6f 72  opy PRNG..I stor
0370: 65 20 61 20 31 32 38 20 62 69 74 20 73 68 6f 72  e a 128 bit shor
0380: 74 20 65 78 74 72 61 63 74 69 6f 6e 20 6f 66 20  t extraction of 
0390: 74 68 65 20 72 61 6e 64 6f 6d 20 6e 75 6d 62 65  the random numbe
03a0: 72 20 70 6f 6f 6c 20 69 6e 20 61 20 68 69 73 74  r pool in a hist
03b0: 6f 72 79 0a 66 69 6c 65 2c 20 61 6e 64 20 63 6f  ory.file, and co
03c0: 6d 70 61 72 65 20 65 61 63 68 20 65 78 74 72 61  mpare each extra
03d0: 63 74 69 6f 6e 20 77 69 74 68 20 74 68 65 20 63  ction with the c
03e0: 6f 6e 74 65 6e 74 73 20 6f 66 20 74 68 61 74 20  ontents of that 
03f0: 66 69 6c 65 2e 20 20 49 74 20 73 68 6f 75 6c 64  file.  It should
0400: 0a 6e 6f 74 20 61 70 70 65 61 72 20 74 77 69 63  .not appear twic
0410: 65 20 28 6c 69 6b 65 6c 79 68 6f 6f 64 3a 20 32  e (likelyhood: 2
0420: 5e 2d 36 34 29 2e 20 20 49 74 27 73 20 6e 6f 74  ^-64).  It's not
0430: 20 6c 6f 6e 67 20 65 6e 6f 75 67 68 20 74 6f 20   long enough to 
0440: 72 65 63 6f 76 65 72 0a 70 72 65 76 69 6f 75 73  recover.previous
0450: 20 72 61 6e 64 6f 6d 20 6e 75 6d 62 65 72 20 73   random number s
0460: 74 61 74 65 73 2c 20 61 6e 64 20 69 74 20 69 73  tates, and it is
0470: 20 6e 6f 74 20 73 68 6f 72 74 20 65 6e 6f 75 67   not short enoug
0480: 68 20 74 6f 20 61 63 63 69 64 65 6e 74 6c 79 20  h to accidently 
0490: 68 61 76 65 0a 63 6f 6c 6c 69 73 73 69 6f 6e 73  have.collissions
04a0: 2e 20 20 59 6f 75 20 63 61 6e 20 72 65 73 74 61  .  You can resta
04b0: 72 74 20 6e 65 74 32 6f 20 32 5e 36 34 20 74 69  rt net2o 2^64 ti
04c0: 6d 65 73 20 74 6f 20 67 65 74 20 61 20 35 30 25  mes to get a 50%
04d0: 20 63 68 61 6e 63 65 20 6f 66 0a 63 6f 6c 6c 69   chance of.colli
04e0: 73 73 69 6f 6e 2e 20 20 59 6f 75 72 20 68 69 73  ssion.  Your his
04f0: 74 6f 72 79 20 66 69 6c 65 20 77 69 6c 6c 20 62  tory file will b
0500: 65 20 66 61 72 20 74 6f 6f 20 6c 6f 6e 67 20 62  e far too long b
0510: 79 20 74 68 65 6e 2c 20 61 6e 64 20 79 6f 75 20  y then, and you 
0520: 77 69 6c 6c 20 77 61 6e 74 0a 74 6f 20 64 65 6c  will want.to del
0530: 65 74 65 20 69 74 2e 20 20 54 68 69 73 20 69 73  ete it.  This is
0540: 20 74 68 65 20 63 68 65 63 6b 20 70 61 72 74 20   the check part 
0550: 6f 66 20 74 68 65 20 73 65 61 74 20 62 65 6c 74  of the seat belt
0560: 3a 20 69 66 20 69 74 27 73 20 6e 6f 74 20 61 74  : if it's not at
0570: 74 61 63 68 65 64 2c 0a 69 74 20 77 69 6c 6c 20  tached,.it will 
0580: 62 65 65 70 2e 0a 0a 23 23 20 4b 65 79 20 65 72  beep...## Key er
0590: 61 73 75 72 65 20 61 6e 64 20 72 6f 6c 6c 69 6e  asure and rollin
05a0: 67 20 74 61 67 0a 0a 49 20 73 74 6f 72 65 20 61  g tag..I store a
05b0: 6e 20 69 6e 69 74 69 61 6c 69 7a 69 6e 67 20 73  n initializing s
05c0: 74 61 74 65 20 66 6f 72 20 74 68 65 20 50 52 4e  tate for the PRN
05d0: 47 2c 20 66 69 72 73 74 20 67 65 6e 65 72 61 74  G, first generat
05e0: 65 64 20 74 6f 67 65 74 68 65 72 20 77 69 74 68  ed together with
05f0: 20 79 6f 75 72 0a 73 65 6b 72 65 74 20 6b 65 79   your.sekret key
0600: 2e 20 20 54 68 69 73 20 69 73 20 74 68 65 20 74  .  This is the t
0610: 69 6d 65 20 77 68 65 6e 20 61 20 6c 6f 77 2d 65  ime when a low-e
0620: 6e 74 72 6f 70 79 20 73 79 73 74 65 6d 20 63 61  ntropy system ca
0630: 6e 20 61 73 6b 20 74 68 65 20 75 73 65 72 20 74  n ask the user t
0640: 6f 0a 61 64 64 20 6d 6f 72 65 20 65 6e 74 72 6f  o.add more entro
0650: 70 79 20 62 79 20 65 2e 67 2e 20 6d 6f 76 69 6e  py by e.g. movin
0660: 67 20 74 68 65 20 6d 6f 75 73 65 20 6f 72 20 77  g the mouse or w
0670: 61 6c 6b 69 6e 67 20 6f 76 65 72 20 74 68 65 20  alking over the 
0680: 6b 65 79 62 6f 61 72 64 2e 20 20 54 68 61 74 0a  keyboard.  That.
0690: 69 6e 69 74 69 61 6c 20 73 74 61 74 65 20 74 68  initial state th
06a0: 65 6e 20 68 61 73 20 65 6e 6f 75 67 68 20 72 61  en has enough ra
06b0: 6e 64 6f 6d 6e 65 73 73 2e 0a 0a 4f 6e 20 65 76  ndomness...On ev
06c0: 65 72 79 20 73 74 61 72 74 20 6f 66 20 6e 65 74  ery start of net
06d0: 32 6f 2c 20 49 20 6d 69 78 20 69 74 20 74 6f 67  2o, I mix it tog
06e0: 65 74 68 65 72 20 77 69 74 68 20 65 6e 74 72 6f  ether with entro
06f0: 70 79 20 66 72 6f 6d 20 60 2f 64 65 76 2f 72 61  py from `/dev/ra
0700: 6e 64 6f 6d 60 0a 61 6e 64 20 72 65 70 6c 61 63  ndom`.and replac
0710: 65 20 74 68 65 20 70 72 65 76 69 6f 75 73 20 73  e the previous s
0720: 61 76 65 64 20 63 6f 6e 74 65 6e 74 2e 20 20 54  aved content.  T
0730: 68 69 73 20 69 73 20 74 6f 20 70 72 65 76 65 6e  his is to preven
0740: 74 20 61 20 66 6f 72 77 61 72 64 20 73 65 63 72  t a forward secr
0750: 65 63 79 0a 61 74 74 61 63 6b 2e 20 20 54 6f 20  ecy.attack.  To 
0760: 6d 61 6b 65 20 73 75 72 65 20 74 68 65 20 69 6e  make sure the in
0770: 69 74 69 61 6c 20 73 74 61 74 65 20 63 61 6e 27  itial state can'
0780: 74 20 62 65 20 75 73 65 64 20 74 6f 20 72 65 63  t be used to rec
0790: 6f 76 65 72 20 66 6f 72 77 61 72 64 0a 73 65 63  over forward.sec
07a0: 72 65 63 79 2c 20 69 74 27 73 20 6a 75 73 74 20  recy, it's just 
07b0: 61 20 70 61 72 74 20 6f 66 20 74 68 65 20 6f 76  a part of the ov
07c0: 65 72 61 6c 6c 20 73 74 61 74 65 2c 20 61 6e 64  erall state, and
07d0: 20 6f 76 65 72 77 72 69 74 74 65 6e 20 62 79 20   overwritten by 
07e0: 67 65 6e 65 72 61 74 69 6e 67 0a 6d 6f 72 65 20  generating.more 
07f0: 72 61 6e 64 6f 6d 20 6e 75 6d 62 65 72 73 20 61  random numbers a
0800: 66 74 65 72 77 61 72 64 73 3b 20 67 65 6e 65 72  fterwards; gener
0810: 61 74 69 6e 67 20 6d 6f 72 65 20 72 61 6e 64 6f  ating more rando
0820: 6d 20 6e 75 6d 62 65 72 73 20 77 69 6c 6c 20 72  m numbers will r
0830: 65 70 6c 61 63 65 0a 74 68 65 20 73 65 63 72 65  eplace.the secre
0840: 74 20 73 74 61 74 65 20 77 69 74 68 20 61 20 6e  t state with a n
0850: 65 77 20 6f 6e 65 2e 20 20 54 68 69 73 20 74 65  ew one.  This te
0860: 63 68 6e 69 71 75 65 20 69 73 20 63 61 6c 6c 65  chnique is calle
0870: 64 20 5f e2 80 9c 6b 65 79 20 65 72 61 73 69 6e  d _â€œkey erasin
0880: 67 0a 50 52 4e 47 e2 80 9d 5f 2e 20 20 54 68 69  g.PRNGâ€_.  Thi
0890: 73 20 69 73 20 69 6d 70 6f 72 74 61 6e 74 2e 0a  s is important..
08a0: 0a 4e 6f 74 65 20 74 68 61 74 20 61 20 72 65 76  .Note that a rev
08b0: 69 73 69 6f 6e 20 63 6f 6e 74 72 6f 6c 6c 69 6e  ision controllin
08c0: 67 20 66 69 6c 65 20 73 79 73 74 65 6d 20 63 61  g file system ca
08d0: 6e 20 6b 6e 6f 77 20 74 68 65 20 73 61 76 65 20  n know the save 
08e0: 74 69 6d 65 20 61 6e 64 20 61 6c 6c 0a 74 68 65  time and all.the
08f0: 20 73 74 61 74 65 73 20 6f 66 20 74 68 65 20 70   states of the p
0900: 72 65 76 69 6f 75 73 20 69 6e 69 74 20 66 69 6c  revious init fil
0910: 65 73 2e 20 20 49 66 20 74 68 65 20 65 6e 74 72  es.  If the entr
0920: 6f 70 79 20 69 73 20 76 65 72 79 20 6c 6f 75 73  opy is very lous
0930: 79 2c 20 61 6e 64 20 6f 6e 6c 79 0a 72 65 6c 61  y, and only.rela
0940: 74 65 64 20 74 6f 20 74 68 65 20 73 79 73 74 65  ted to the syste
0950: 6d 20 74 69 6d 65 20 77 68 65 6e 20 72 65 61 64  m time when read
0960: 69 6e 67 20 69 74 2c 20 72 65 63 6f 76 65 72 79  ing it, recovery
0970: 20 6f 66 20 6f 6c 64 20 6b 65 79 73 20 69 73 20   of old keys is 
0980: 73 74 69 6c 6c 0a 70 6f 73 73 69 62 6c 65 2e 20  still.possible. 
0990: 20 54 68 65 72 65 66 6f 72 65 2c 20 79 6f 75 20   Therefore, you 
09a0: 73 68 6f 75 6c 64 20 6e 6f 74 20 73 74 6f 72 65  should not store
09b0: 20 74 68 65 20 72 61 6e 64 6f 6d 20 6e 75 6d 62   the random numb
09c0: 65 72 20 69 6e 69 74 69 61 6c 69 7a 65 72 20 6f  er initializer o
09d0: 6e 20 61 0a 76 65 72 73 69 6f 6e 20 63 6f 6e 74  n a.version cont
09e0: 72 6f 6c 6c 69 6e 67 20 66 69 6c 65 20 73 79 73  rolling file sys
09f0: 74 65 6d 2e 0a 0a 23 23 20 4c 69 74 65 72 61 74  tem...## Literat
0a00: 75 72 65 0a 0a 31 2e 20 5b 44 4a 42 20 6f 6e 20  ure..1. [DJB on 
0a10: 6b 65 79 20 65 72 61 73 75 72 65 5d 28 68 74 74  key erasure](htt
0a20: 70 73 3a 2f 2f 62 6c 6f 67 2e 63 72 2e 79 70 2e  ps://blog.cr.yp.
0a30: 74 6f 2f 32 30 31 37 30 37 32 33 2d 72 61 6e 64  to/20170723-rand
0a40: 6f 6d 2e 68 74 6d 6c 29 0a                       om.html).