[OT] Combinatronics WAS Re: /dev/random and linux security issues (kinda long)

aluminumsulfate at earthlink.net aluminumsulfate at earthlink.net
Mon May 16 12:01:16 EDT 2005 

   Cc: gnhlug-discuss at mail.gnhlug.org
   From: clark_k at pannaway.com (Kevin D. Clark)
   Date: Mon, 16 May 2005 10:39:36 -0400

   --=-=-=


   aluminumsulfate at earthlink.net writes:

   >  (1) Always double check your crypto.
   >  (2) Never use Perl BigInt's for anything ever... especially crypto.
   >  (3) When in doubt, use LISP.

   I believe that your Perl code is buggy.  Why are you using ord()?  Do
   you understand that when you read from /dev/u?random you're getting a
   raw integer value?

It may very well be that my Perl code has bugs.  But I don't think
they're in string2dec.  If anything, there's something screwy in how I
did base-10-to-base-95 conversion (and back).  When you read
/dev/random, what you get is a byte, just a byte.  (It's a character
device.)

   I have attached an updated string2dec.pl program.

Your script does exactly the same thing that mine does.

dave at bat$ cat > string2dec2.pl 
<snip>
dave at bat$ chmod u+x string2dec2.pl 
dave at bat$ dd if=/dev/random bs=1 count=64 of=foo
dave at bat$ ./string2dec.pl < foo > foo1.dec
dave at bat$ ./string2dec2.pl < foo > foo2.dec
dave at bat$ cat foo?.dec
348972845185895558559598941767433797189071947931735732771073368540314832065075431399661386471966277726180266974672707225617434431063554713733983492443351
348972845185895558559598941767433797189071947931735732771073368540314832065075431399661386471966277726180266974672707225617434431063554713733983492443351
dave at bat$ rm foo foo?.dec string2dec2.pl # :)

   Generally, when I am writing code and I encounter a strange result, my
   first inclination is to assume that perhaps I did something wrong.
   But you seem to be different than me.

Yeah, that's what I suspected, at first.  When I looked over my Perl
code (which is, after all, relatively simple), I could find nothing
wrong.  So the next most likely source of error, I figured, was the
actual RNG.  But now, it seems the error's probably in BigInt.  Why
else would the program go schitz after *seven* digits?

   Regards,

   --kevin
   -- 
   GnuPG ID: B280F24E                     And the madness of the crowd
   alumni.unh.edu!kdc                     Is an epileptic fit
					  -- Tom Waits

More information about the gnhlug-discuss mailing list