<<< Date Index >>>     <<< Thread Index >>>

Re: /dev/random is probably not



> At the last place at which I worked, a few years ago, a "random
> number" was generated, and used in a FIPS 140-1 compliant
> encryption device, by capturing 128 ethernet frames in sequence
> from the local in-house network, gathering the LSB from the
> arrival time of each frame, and using those values to generate
> an encryption key. This was part of the "activation sequence"
> which had to be done, once, on each such device.
>
> Any studies out there on the randomness of such a number?
> At first glance a non-deterministic network would seem to be
> able to generate a useful number for the key.

It doesn't look like a good source of entropy. At least it wouldn't
withstand an active attack during this activation phase.


> - Bob Foxworth, GSEC, CISSP

Thomas Biege

-- 
Tom <tom@xxxxxxxxxxxxxxxxxx>
fingerprint = F055 43E5 1F3C 4F4F 9182  CD59 DBC6 111A 8516 8DBF