Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Encryption Privacy

NIST Updates Random Number Generation Guidelines 64

An anonymous reader writes: Encryption weighs heavily on the public consciousness these days, as we've learned that government agencies are keeping an eye on us and a lot of our security tools aren't as foolproof as we've thought. In response to this, the National Institute of Standards and Technology has issued a formal update to its document on how to properly generate a random number — crucial in many types of encryption. The update (as expected) removes a recommendation for the Dual_EC_DRBG algorithm. It also adds extra options for CTR_DRBG and points out examples for implementing SP 800-90A generators. The full document (PDF) is available online.
This discussion has been archived. No new comments can be posted.

NIST Updates Random Number Generation Guidelines

Comments Filter:
  • by sinij ( 911942 ) on Saturday June 27, 2015 @12:43AM (#50000713)
    One of they few poorly understood concepts in software development is that improperly initialized (called seeding) DRBG will break your crypto.

    For Linux, and especially for headless systems, use /dev/random for seeding. You want it to block if not enough randomness available.
    • Comment removed based on user account deletion
      • by Copid ( 137416 ) on Saturday June 27, 2015 @01:03AM (#50000779)
        The classic Schneier Applied Cryptography is a great read for anybody who wants a good starting point on the basic concepts and practical considerations. It's technical-ish but conceptual rather than mathematical and leans toward describing what the various crypto pieces do, why they exist, and what they're used for. To get a good intro to some math, try The Handbook of Applied Cryptography [uwaterloo.ca]. If you have a little bit of number theory and are willing to do some exercises up front, the book is largely self-contained and very well written. It's free for personal use, but nobody I know regretted buying a hard copy.
        • Thank you a thousand times to the link to the handbook! Now I can ditch the boring William Stallings crypto book which I never finished AND I don't need a physical copy!

        • by VTBlue ( 600055 )

          Great resource! Thanks for this link.

    • by EmeraldBot ( 3513925 ) on Saturday June 27, 2015 @12:57AM (#50000761)

      One of they few poorly understood concepts in software development is that improperly initialized (called seeding) DRBG will break your crypto. For Linux, and especially for headless systems, use /dev/random for seeding. You want it to block if not enough randomness available.

      Ehhhh, not always [2uo.de].

    • by mlts ( 1038732 )

      What I liked was the original version of PGP when it would ask you to type some random numbers/letters and would use that as a seed.

      It depends on the crypto I was doing: For a number of tasks, say if I were rolling dice for a game, /dev/urandom is good enough. For generating a nonpersistant key (like a session key that is used and tossed during a SSL transaction), /dev/random. For a key that is persistant, it might be even better to use /dev/random, but also ask the user to toss in some random keypresses

    • by bytesex ( 112972 )

      Sweeping statement - not necessarily. Pre-shared keys and all that. It is possible to make good crypto systems without using random. Sorry to be autistic about it.

  • They're more like guidelines anyway.

  • True randomness comes from quantum mechanical phenomena. Linux /dev/random is chaotic, yes, enough to seed a software "R"NG. But we can do better and devices to do so are cheap these days.

    I wouldn't trust anything but diode noise for randomness. If I had a need to transmit messages privately, I'd only trust a one-time pad.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      OneRNG - An Open and Verifiable hardware random number generator [youtube.com] -- relevant talk from Linux.conf.au 2015. It uses diode and (optionally) RF noise to generate a stream of high-quality entropy which couples directly to the kernel.

      They touch upon a concept that I believe many admins should be aware of: if you do mass-deployment of machines, this might very well include generation of e.g. SSH keys. The problem is if the keys are generated in such an early stage that the random pool has not been able to be read

  • Why do so many systems still use the hashed root or admin password to seed tcp sequence numbers? Cisco, Sun, IBM and DEC all started doing it about the same time. So who suggested it to them and just how many groups know how what it takes to pull bits out of that hash?

  • by Slayer ( 6656 ) on Saturday June 27, 2015 @06:20AM (#50001257)
    NIST recklessly broke our trust in them by allowing known to be broken encryption into their standard. Their new document may come with all the best intentions, but it will take years to rebuild that trust. Let's wait for what the crypto community has to say about these documents, before we blindly follow their latest standards.
    • NIST recklessly broke our trust in them by allowing known to be broken encryption into their standard. Their new document may come with all the best intentions, but it will take years to rebuild that trust. Let's wait for what the crypto community has to say about these documents, before we blindly follow their latest standards.

      Well you could go with the ANSI or ISO RNG specs.

      Oh wait, they're written by the same people.

    • by sinij ( 911942 )
      All you say is true, but you only need to look at what NSA uses to protect their own stuff to know what is secure. Sure, given a chance they will backdoor your stuff, but they will never do this to their own security, since they know even their own backdoor could be used against them.
  • by bytesex ( 112972 ) on Saturday June 27, 2015 @08:12AM (#50001495) Homepage

    To find out where the NSA put the twist.

    • To find out where the NSA put the twist.

      Well P-224 isn't twist secure, if that's what you're hinting at.

      In reality the backdoor isn't in SP800-90A, B or C. It's in FIPS 140-2 section 4.9.2. In a FIPS certified module, that procedure applies to all RNG outputs 16 bits and above. A test that changes the data to create a stream of known algebraic inequalities. Genius.

  • The Yarrow algorithm, or its progeny Fortuna, are not yet a thing?
    Shame.

    https://en.wikipedia.org/wiki/... [wikipedia.org]

To stay youthful, stay useful.

Working...