[OT] Combinatronics WAS Re: /dev/random and linux security
issues (kinda long)
aluminumsulfate at earthlink.net
aluminumsulfate at earthlink.net
Mon May 16 12:01:16 EDT 2005
Cc: gnhlug-discuss at mail.gnhlug.org
From: clark_k at pannaway.com (Kevin D. Clark)
Date: Mon, 16 May 2005 10:39:36 -0400
--=-=-=
aluminumsulfate at earthlink.net writes:
> (1) Always double check your crypto.
> (2) Never use Perl BigInt's for anything ever... especially crypto.
> (3) When in doubt, use LISP.
I believe that your Perl code is buggy. Why are you using ord()? Do
you understand that when you read from /dev/u?random you're getting a
raw integer value?
It may very well be that my Perl code has bugs. But I don't think
they're in string2dec. If anything, there's something screwy in how I
did base-10-to-base-95 conversion (and back). When you read
/dev/random, what you get is a byte, just a byte. (It's a character
device.)
I have attached an updated string2dec.pl program.
Your script does exactly the same thing that mine does.
dave at bat$ cat > string2dec2.pl
<snip>
dave at bat$ chmod u+x string2dec2.pl
dave at bat$ dd if=/dev/random bs=1 count=64 of=foo
dave at bat$ ./string2dec.pl < foo > foo1.dec
dave at bat$ ./string2dec2.pl < foo > foo2.dec
dave at bat$ cat foo?.dec
348972845185895558559598941767433797189071947931735732771073368540314832065075431399661386471966277726180266974672707225617434431063554713733983492443351
348972845185895558559598941767433797189071947931735732771073368540314832065075431399661386471966277726180266974672707225617434431063554713733983492443351
dave at bat$ rm foo foo?.dec string2dec2.pl # :)
Generally, when I am writing code and I encounter a strange result, my
first inclination is to assume that perhaps I did something wrong.
But you seem to be different than me.
Yeah, that's what I suspected, at first. When I looked over my Perl
code (which is, after all, relatively simple), I could find nothing
wrong. So the next most likely source of error, I figured, was the
actual RNG. But now, it seems the error's probably in BigInt. Why
else would the program go schitz after *seven* digits?
Regards,
--kevin
--
GnuPG ID: B280F24E And the madness of the crowd
alumni.unh.edu!kdc Is an epileptic fit
-- Tom Waits
More information about the gnhlug-discuss
mailing list