From: Harvey Newstrom (mail@HarveyNewstrom.com)
Date: Wed Sep 11 2002 - 21:53:23 MDT
Mike Lorrey wrote on Wednesday, September 11, 2002 9:14 pm,
> > Its far simpler than that. You can make your keyboard a random
> number
> > generator. A simple program will time to the nanosecond the
> amount of
> > time between each keystroke while you are typing a given amount
> of
> > text.
Be careful if you try to program this. This is a classic programming error
in security circles, almost as famous as a buffer overflow. Keyboards
usually buffer keystrokes into a text buffer, and the timing of the keyboard
input is usually limited by the software input loop rather than real typing
rhythms. Many programs that have attempted to use keyboard timing to
generate random numbers failed to do it correctly and got more regular
intervals whose timings were more related to their cpu load rather than
typing speed. This seems like an obvious source for true random numbers and
has lead to a greatest number of false-random number generation.
See <http://www.random.org/essay.html> and their other papers about how hard
it is to really generate random numbers. Most schemes, such as keyboard
timing, just don't work as expected. For this reason, keyboard measurements
are specifically disallowed by some government programs working on
encryption and random numbers.
-- Harvey Newstrom, CISSP <www.HarveyNewstrom.com> Principal Security Consultant <www.Newstaff.com>
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:16:58 MST