From: Mike Lorrey (mlorrey@yahoo.com)
Date: Mon Sep 16 2002 - 16:01:57 MDT
--- Harvey Newstrom <mail@HarveyNewstrom.com> wrote:
>
> Mike Lorrey wrote on Wednesday, September 11, 2002 9:14 pm,
> > > Its far simpler than that. You can make your keyboard a random
> > number
> > > generator. A simple program will time to the nanosecond the
> > amount of
> > > time between each keystroke while you are typing a given amount
> > of text.
>
> Be careful if you try to program this. This is a classic programming
> error in security circles, almost as famous as a buffer overflow.
> Keyboards
> usually buffer keystrokes into a text buffer, and the timing of the
> keyboard
> input is usually limited by the software input loop rather than real
> typing
> rhythms. Many programs that have attempted to use keyboard timing to
> generate random numbers failed to do it correctly and got more
regular
> intervals whose timings were more related to their cpu load rather
> than typing speed. This seems like an obvious source for true random
> numbers and
> has lead to a greatest number of false-random number generation.
>
> See <http://www.random.org/essay.html> and their other papers about
> how hard it is to really generate random numbers. Most schemes,
> such as keyboard
> timing, just don't work as expected. For this reason, keyboard
> measurements
> are specifically disallowed by some government programs working on
> encryption and random numbers.
Granted, if you are reading from the buffer rather than the RS-232 feed
from the keyboard, you are going to fail to get effective number
generation. However, my example was simply to refute the claim that it
is impossible to generate random numbers other than by quantum means.
One respondent said that while the keyboard method isn't truly random,
for all intents and purposes its results cannot be distinguished from
random, which kinda reminded me of the classic Clarke saying about
distinguishing sufficiently advanced technology from magic.
Possibly a better example is mouse input, which is, in fact, acceptable
AFAICR to government programs (for example, some implementations of PGP
use it). moving your mouse around a screen generates lots of numbers:
speeds, accelerations, etc within 2 dimensions, which a program can use
to extract random data from precisely because human body movements are
not precision controlled mechanisms.
__________________________________________________
Do you Yahoo!?
Yahoo! News - Today's headlines
http://news.yahoo.com
This archive was generated by hypermail 2.1.5 : Sat Nov 02 2002 - 09:17:05 MST