EGD requirement a show stopper for me

[Gary E. Miller]

Yo Dave!

On Wed, 2 Feb 2000, Dave Dykstra wrote:

> > The whole point of /dev/random is to add entropy to PNRG.  The problem
> > with a PNRG is that once you figure out the internal state of the PNRG
> > you can recover past states and predict future states.  Once you can
> > predict states, even if the prediction is slightly off, then you have
> > seriously reduced the strength of the encryption.
> > 
> > This is the basis of the cracks for S/Key and some other crypto.
> 
> OK, but could one figure out the internal state of the PNRG without having
> access to the seed file?  I'm not worried about compromise of the seed file.
> I would think that if somebody could figure out what numbers were being
> generated by the PNRG they could predict what it might do in the future, but
> as far as I know there's no way for someone to do that without having already
> broken into the legitimate client or server.
I am not a crptographer, I just listen to them, and they are all
fanatics about having real randomness.  A lot of these guys hook
geiger counters, FM radio, zener diodes, sound cards, etc. because
they think they see patterns in /dev/random.  I am not that fanatic,
but have seen attacks based on guessing the PRNG.  

> I don't get why SSH 1.2.27 can do without /dev/random and EGD and yet
> there's been no CERT advisories saying that that part of SSH is insecure.
If you check the file randoms.c in the ssh 1.2.27 source you
will see how they do it.  They pull in entropy from not only /dev/random
if it is available, but from a lot of other sources.  Sources like:
	ps laxww
	ps -al
	ls -alni /tmp/.
	w 
	netstat -s 
	netstat -an
	netstat -in

As you can see, ssh is pretty paranoid about having a good random
seed.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 20340 Empire Ave, Suite E-3, Bend, OR 97701
	gem at rellim.com  Tel:+1(541)382-8588 Fax: +1(541)382-8676