An Almost-Secret Algorithm Researchers Used to Break Thousands of RSA Keys (opens in new tab)

(algorithmsoup.wordpress.com)

420 pointswilliamkuszmaul7y ago109 comments

109 comments

62 comments · 16 top-level

schoen7y ago· 10 in thread

This describes research published in 2012 by Arjen Lenstra et al. (https://eprint.iacr.org/2012/064.pdf), which relied on a scalable n-way GCD algorithm that Lenstra's team thought best not to explain to readers (in the hope that the attack wouldn't be quickly replicated for malicious purposes). Coincidentally, another team (Nadia Heninger et al., https://factorable.net/) published extremely similar research in a similar timeframe, without withholding details of that team's GCD calculation approach.

The Heninger et al. paper explains quite a lot about where the underlying problems came from, most often inadequately seeded PRNGs in embedded devices. As the linked article mentions, other subsequent papers have also analyzed variants of this technique and so there's not much secret left about it.

If people are interested in learning about the impact of common factors on the security of RSA, I created a puzzle based on this which you can try out, which also includes an explanation of the issue for programmers who are less familiar with the mathematical context: http://www.loyalty.org/~schoen/rsa/

Notably, my puzzle uses a small set of keys so you can do "easy" pairwise GCD calculations rather than needing an efficient n-way algorithm as described here (which becomes increasingly relevant as the number of keys in question grows).

ikeyany7y ago

I attempted to do your puzzle but the link was blocked by my employer's firewall:

> URL: http://www.loyalty.org/~schoen/rsa/

> Block reason: Violence/Hate/Racism

So... what exactly is loyalty.org all about?

casefields7y ago

"www.loyalty.org itself is the server for the web site of Californians for Academic Freedom, the group I founded to oppose the California loyalty oath, which is still a non-negotiable requirement for anyone who wants to work for the State of California -- including student employees of the University of California. "

http://www.loyalty.org/~schoen/

That's the most controversial thing about the page. In my view it's not a big deal to have that stance but some people don't like others who rock the boat when it comes to the status quo.

2 more replies

schoen7y ago

I don't know why my web site was categorized that way by your employer's firewall.

1 more reply

dunham7y ago

I'm guessing it's a false positive from using an IP similar to a sketchy site. It looks like the IP points to Linode.

For what it's worth, I enjoyed the puzzle when I completed it three years ago. A practical exercise cracking the RSA keys followed by a small classic code breaking puzzle.

inciampati7y ago

I really doubt that shoen's page is any issue. Perhaps you can get to it in the way back machine.

1 more reply

KwanEsq7y ago

Maybe a particularly simplistic auto-categoriser mistook the few eighty-eights (88s) on the root page[0] for their use as Nazi symbolism[1]?

[0] http://www.loyalty.org/

[1] https://en.wikipedia.org/w/index.php?title=88_(number)&oldid...

1 more reply

croh7y ago

mine too interesting. which firewall do your employer use ? here it is sonicwall.

gtsteve7y ago

It appears to be a personal website; I believe it is miscategorised.

swish_bob7y ago

Nice puzzle. Feels like a good exercise for stretching the brain.

lurkertroll7y ago

This website does a great job explaining how encryption works and how it's vulnerable to bad RNGs. Well done.

jMyles7y ago· 7 in thread

A lot of people over the years have gotten the message that "use /dev/urandom and forget about it" is the final, end-all, be-all for secure random number generation.

In fact, this ideology (and that's what it is - an ideology) has been trumpeted right here on HN, in some cases by people who repeatedly seem to comment on topics that they don't fully understand. Security is hard, but there's also a high reputational value on being perceived as an authority on the topic. As a result, there are some nuggets of "wisdom" that require asterisks next to them, including this one.

Even though "just use /dev/urandom" is almost always true, it isn't always true. In fact, the universe of cases where some form of blocking entropy is needed (and again, this is a very tiny set) is growing, not shrinking.

https://security.stackexchange.com/questions/186086/is-alway...

Shoop7y ago

How does a blocking CSPRNG mitigate this attack?

Again, it makes no sense to say that a CSPRNG can start "running low" on entropy.

Here's what djb has to say about this:

     Cryptographers are certainly not responsible for this superstitious nonsense. Think about this for a moment: whoever wrote the /dev/random manual page seems to simultaneously believe that

    (1) we can't figure out how to deterministically expand one 256-bit /dev/random output into an endless stream of unpredictable keys (this is what we need from urandom), but

    (2) we _can_ figure out how to use a single key to safely encrypt many messages (this is what we need from SSL, PGP, etc.).

    For a cryptographer this doesn't even pass the laugh test.

(Unless you're talking about the early boot seeding problem that /dev/urandom has on linux, which is a very real problem).

For reference, here's the classic source I think you're referring to: https://www.2uo.de/myths-about-urandom

FartyMcFarter7y ago

The point is not about "running low on entropy", it's about the possibility of not having enough to begin with. At boot.

aidenn07y ago

Part of the problem is that neither /dev/urandom nor /dev/random on linux do what most people want. /dev/urandom never blocks even right after you've spun up a fresh machine that has not seeded the PRNG, while /dev/random blocks very conservatively, to the point where it is not useful for certain things.

The proper approach for high-volume random numbers is probably to seed a userspace PRNG from /dev/random but that's extra work, particularly in a concurrent program.

tptacek7y ago

Please do not seed a userspace RNG from /dev/random. Most major crypto RNG attacks trace back to userspace RNGs. If you can trust /dev/random to provide a seed for your userspace RNG, then by definition you can also from that point on trust urandom as well.

(getrandom(..., 0) is probably the right long-term solution).

2 more replies

jMyles7y ago

I think that the approach taken in Python as of PEP524[0] gets it about right. And it achieves a very similar level of exposure and performance across platforms as well.

0: https://www.python.org/dev/peps/pep-0524/

jMyles7y ago

> Part of the problem is that neither /dev/urandom nor /dev/random on linux do what most people want.

Agreed, but `getrandom(..., 0)` largely does. And thus, Python's `urandom` is also a good fit for very nearly every use case for randomness inside business logic.

> The proper approach for high-volume random numbers is probably to seed a userspace PRNG from /dev/random...

At a high-level, I don't agree. I think that for high-volume random numbers the best solution is nearly always a trustworthy hardware RNG.

I also think that, while it's possible to properly seed a userspace PRNG from /dev/random, it's rarely a good idea because 1) it's (at least relatively) difficult to do without introducing other vulnerabilities, and 2) if you trust /dev/random as a seed, then you have other viable options in every case.

If you have a need to use a userspace PRNG - and more importantly, the wherewithall and self-awareness to do it properly, then you are almost certainly in a position to need to seed it from an oracle other than your system's /dev/random.

est7y ago

it's worth, now everyone is dong that in docker.

incompatible7y ago· 6 in thread

Could you use a similar idea to go after bitcoin keys? If so, you may not be able to crack any particular key, but you could steal the bitcoins from the ones you did crack.

schoen7y ago

As sowbug and tptacek mention, there are no common-factor attacks against Bitcoin keys. However, that doesn't mean that the PRNGs used in cryptocurrency implementations aren't a concern. The most famous incident was probably this

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018...

(you can find subsequent journalism about the effects of this if you're interested).

There have also been other cryptocurrency PRNG attacks that weren't as high-profile as this issue.

schoen7y ago

I wish I had remembered the "Biased Nonce Sense" paper (which I heard about last week but didn't read!), which someone else mentions downthread at

https://news.ycombinator.com/item?id=18917385

https://eprint.iacr.org/2019/023.pdf

(This is a nonce reuse issue rather than a common-factor vulnerability, but one reason for nonce reuse can also be CSPRNG seeding problems.)

tptacek7y ago

Java SecureRandom: a userland CSPRNG!

1 more reply

sowbug7y ago

With a tiny number of exceptions, Bitcoin private keys are just random sequences of 256 bits. They don't involve primality. So unless a shared CRNG is truly awful, there shouldn't be any reason why keys would cluster around certain values.

tptacek7y ago

Which is basically the thesis of the underlying "Ron Was Wrong Whit Was Right" paper --- that discrete log systems are safer than RSA. Since then, there's been more work done on the pitfalls of prime generation, perhaps most notably the "Prime And Prejudice" paper, which is really excellent and more interesting technically than this article:

https://eprint.iacr.org/2018/749.pdf

New systems should generally avoid RSA, for this reason among several others.

2 more replies

anoncrypto7y ago

See: https://eprint.iacr.org/2019/023.pdf

truantbuick7y ago· 4 in thread

What are the characteristics of those who generated an RSA key sharing a prime factor? Can they be linked back to a few bad CSPRNG implementations?

What are practical steps to be responsible about it?

It's contrived, but I just imagine that if I'm generating some particularly important keys, that I should somehow find a way to give /dev/urandom a kick of some kind. Even if that were possible, it's more likely to make things worse than better. Still, it makes me a little paranoid to even hear about theoretical weaknesses -- especially like collision attacks. I have no idea how long it takes for the CSPRNG to get properly seeded. Does it take a microsecond after booting? 10 minutes? A day?

tptacek7y ago

At the time, there was uncertainty about the root cause, but yes, I think it's been traced back to a set of specific CSPRNGs.

You do not need to give urandom a kick of any kind; once the KRNG is seeded, urandom will for all intents and purposes perpetually feed you secure random bytes. It's likely your distro already goes through some effort to make sure urandom is seeded by the time you start up a shell.

z3t47y ago

Some RNG's use the time of the day in milliseconds as seed, I guess those are easy to brute force. I guess it's all about the size of the seed and it's randomness!?

schoen7y ago

This is probably the most famous issue about that phenomenon:

https://people.eecs.berkeley.edu/~daw/papers/ddj-netscape.ht...

You could say that our understanding of PRNGs has improved a bit since then.

A recent thread about brute-forcing PRNG states in a game:

https://news.ycombinator.com/item?id=18880528

1 more reply

NelsonMinar7y ago

One would hope no RSA key generation software is so stupid as to use that kind of RNG. OTOH, apparently 0.2% of RSA keys were generated by something effectively that dumb.

sublupo7y ago· 4 in thread

> The authors hint in a footnote that at the heart of their computation is an asymptotically fast algorithm, allowing them to bring the running time of the computation down to nearly linear; but the actual description of the algorithm is kept a secret from the reader

How could something like that pass peer review? Their claim is effectively unable to be reproduced.

andreareina7y ago

If I'm reading the numbers right, even using the slow way you'd expect to break on the order of tens of keys per day. Thus the claim that "two out of every one thousand RSA moduli [...] offer no security" is easily verified. The secret algorithm doesn't compute secret data that can't be verified.

codezero7y ago

It’s not clear to me that the journal it was published in is peer reviewed. Not all are.

https://www.springer.com/computer/theoretical+computer+scien...

It’s useful to have such places to publish things, but unfortunate that it’s not clear whether it’s peer reviewed.

rincebrain7y ago

A number of CS publications (or non-CS publications with custom software) don't include the source/enough exact parameters/... to reproduce their results.

ric2b7y ago

Maybe the reviewers had access.

sliken7y ago· 4 in thread

Anyone know of a service (https://factorable.net/keycheck.html was discontinued) or code that would help identify particularly weak keys?

sliken7y ago

Actually factorable.net does have code. Planning to analyze the 1200 user keys I have around to see if any are weak. From what I can tell you can just convert public keys into hex and feed them into their program.

anomalroil7y ago

Yes, but it will only batch-factor the 1200 keys you'd be feeding it with. For such factorization attacks to work best, you need a dataset as large as possible.

spiridow7y ago

Have you tried keylookup?

https://keylookup.kudelskisecurity.com/

sliken7y ago

Tried a few, doesn't seem to handle more than one key well. Worried that 1500 submissions would cause a DoS. After a few it stopped giving me results saying computations were queued.

sempron647y ago· 3 in thread

This is very interesting. I wonder what key generators were used to create the insecure keys.

schoen7y ago

See https://factorable.net/weakkeys12.extended.pdf, which includes some identifications of some of the responsible devices. (Two groups of researchers published independently on this issue at nearly the same time.)

Scoundreller7y ago

Bottom left of page 9 for RSA and middle left of Page 10 goes through which manufacturers were the mode.

lixtra7y ago

TLDR:

Devices that create TLS and SSH keys just after boot when there is not enough entropy.

1 more reply

lipnitsk7y ago· 2 in thread

Another group did a talk on this at DEF CON 26 last year: https://research.kudelskisecurity.com/2018/08/16/breaking-an...

They analyzed over 340 million keys from the web.

> As part of the presentation given at DEF CON 26, one of the outputs was Kudelski Security’s Keylookup application. On this site, you can submit your own public keys and have them tested against our dataset. We will let you know if your key is vulnerable to Batch GCD and ROCA attacks. If your key is in our database, we will be able to give you an answer immediately, if it is not, you may have to wait a bit until the tests complete.

> https://keylookup.kudelskisecurity.com/

tptacek7y ago

I don't think ROCA is related to the vulnerability in the article?

lipnitsk7y ago

Correct, but the main point of their talk and research was focused on Batch GCD processing of hundreds of millions of keys, with ROCA analysis done in addition.

cbhl7y ago· 2 in thread

PuTTYgen, being a Windows application, assumes that a mouse is connected and prompts the user to move the mouse to generate entropy during key creation.

By comparison, ssh-keygen documents the SSH_USE_STRONG_RNG environment variable -- but then recommends against its use (!) since it can cause key generation "to be blocked until enough entropy is available".

hackcasual7y ago

> "to be blocked until enough entropy is available"

which is fine. The idea that entropy is a consumeable resource is a crypto myth that needs to die.

tlb7y ago

It's not consumable, but it can be in short supply right after boot. So /dev/random should block until there's sufficient entropy, but never after that.

4 more replies

gtsteve7y ago· 2 in thread

On this topic, I recall reading earlier computers (of the 80s) used radio tuners tuned into nothing to generate random numbers. Of course, you need some way to randomly choose the frequency but then what comes out should be pretty unpredictable.

I believe Random.org uses an approach similar to this. What is so special about this approach that we couldn't install it as a card in a desktop for example?

amlozano7y ago

Modern desktops have had RNGs built into their chips since Ivy Bridge. Beyond that, they have plenty of decent sources for random numbers such as network traffic. Similarly, mobile devices can use sensor noise to create random numbers pretty well.

The devices people are concerned with are things like embedded devices and sometimes virtual devices.

amenghra7y ago

A zener diode costs $0.01 and gives pretty good randomness. You mix network traffic, user input, other sensors when available and you are gold.

userbinator7y ago· 1 in thread

IMO a bit clickbaity of a title --- I thought there was a recent breakthrough in integer factorisation, when in fact this is really attributable to insufficient randomness.

schoen7y ago

A bigger problem for many readers might be that this is a new post, mainly summarizing research from 2012. So it's not really appropriate to say "(2012)", but it also doesn't announce new discoveries since that time.

skookumchuck7y ago· 1 in thread

After decades of problems with seeding RNGs, why isn't there a electronic circuit that gets a seed from quantum noise or something like that? The circuit could be part of the CPU or support chips.

After all, amplifiers are always trying to increase the signal/noise, and the basis of the reliability of digital circuits is avoiding the noise. Instead, a circuit can amplify the noise and sample it.

tatersolid7y ago

There is. RDRAND for x86/x64 has been in all Intel/AMD for several years.

Most ARM SoC have some equivalent device, but they are nonstandard and require driver support.

Even the TPM chips in basically every desktop, laptop, and server for over a decade have hardware RNG. Again driver support is needed.

The problem is cheap “blue plastic boxes” may not have a hardware RNG, nor will Virtual machines or containers. Writing code to figure out what RNG is available and how to use it is a nightmare so few people do it.

This is why most security people say “use the OS CSPRNG always”. That way user-space code doesn’t have to carry all the platform specifics with it. And presumably integrating the hardware RNG can be done once at the OS layer.

1 more reply

phw7y ago

This idea has since been applied to several other domains. Last year we had a look at all archived RSA keys of Tor relays: https://nymity.ch/anomalous-tor-keys/

We found that several thousand relays that shared prime factors (most part of a research project), ten relays shared moduli, and 122 relays used a non-standard RSA exponent, presumably in an attempt to manipulate the Tor network's distributed hash table, which powers onion services.

daedalus20277y ago

hi, I attempted to recreate the algorithm in the post:

https://github.com/daedalus/misc/blob/master/testQuasiLinear...

betolink7y ago

I don't know why this is still a problem these days, let's just use lava lamps for entropy: https://blog.cloudflare.com/lavarand-in-production-the-nitty...

zde7y ago

> But since they both used the same program to generate random prime numbers, there’s a higher-than-random chance that their public keys share a prime factor

j / k navigate · click thread line to collapse

109 comments

62 comments · 16 top-level

schoen7y ago· 10 in thread

ikeyany7y ago

I attempted to do your puzzle but the link was blocked by my employer's firewall:

> URL: http://www.loyalty.org/~schoen/rsa/

> Block reason: Violence/Hate/Racism

So... what exactly is loyalty.org all about?

casefields7y ago

http://www.loyalty.org/~schoen/

That's the most controversial thing about the page. In my view it's not a big deal to have that stance but some people don't like others who rock the boat when it comes to the status quo.

2 more replies

schoen7y ago

I don't know why my web site was categorized that way by your employer's firewall.

1 more reply

dunham7y ago

I'm guessing it's a false positive from using an IP similar to a sketchy site. It looks like the IP points to Linode.

For what it's worth, I enjoyed the puzzle when I completed it three years ago. A practical exercise cracking the RSA keys followed by a small classic code breaking puzzle.

inciampati7y ago

I really doubt that shoen's page is any issue. Perhaps you can get to it in the way back machine.

1 more reply

KwanEsq7y ago

Maybe a particularly simplistic auto-categoriser mistook the few eighty-eights (88s) on the root page[0] for their use as Nazi symbolism[1]?

[0] http://www.loyalty.org/

[1] https://en.wikipedia.org/w/index.php?title=88_(number)&oldid...

1 more reply

croh7y ago

mine too interesting. which firewall do your employer use ? here it is sonicwall.

gtsteve7y ago

It appears to be a personal website; I believe it is miscategorised.

swish_bob7y ago

Nice puzzle. Feels like a good exercise for stretching the brain.

lurkertroll7y ago

This website does a great job explaining how encryption works and how it's vulnerable to bad RNGs. Well done.

jMyles7y ago· 7 in thread

A lot of people over the years have gotten the message that "use /dev/urandom and forget about it" is the final, end-all, be-all for secure random number generation.

https://security.stackexchange.com/questions/186086/is-alway...

Shoop7y ago

How does a blocking CSPRNG mitigate this attack?

Again, it makes no sense to say that a CSPRNG can start "running low" on entropy.

Here's what djb has to say about this:

     Cryptographers are certainly not responsible for this superstitious nonsense. Think about this for a moment: whoever wrote the /dev/random manual page seems to simultaneously believe that

    (1) we can't figure out how to deterministically expand one 256-bit /dev/random output into an endless stream of unpredictable keys (this is what we need from urandom), but

    (2) we _can_ figure out how to use a single key to safely encrypt many messages (this is what we need from SSL, PGP, etc.).

    For a cryptographer this doesn't even pass the laugh test.

(Unless you're talking about the early boot seeding problem that /dev/urandom has on linux, which is a very real problem).

For reference, here's the classic source I think you're referring to: https://www.2uo.de/myths-about-urandom

FartyMcFarter7y ago

The point is not about "running low on entropy", it's about the possibility of not having enough to begin with. At boot.

aidenn07y ago

The proper approach for high-volume random numbers is probably to seed a userspace PRNG from /dev/random but that's extra work, particularly in a concurrent program.

tptacek7y ago

(getrandom(..., 0) is probably the right long-term solution).

2 more replies

jMyles7y ago

I think that the approach taken in Python as of PEP524[0] gets it about right. And it achieves a very similar level of exposure and performance across platforms as well.

0: https://www.python.org/dev/peps/pep-0524/

jMyles7y ago

> Part of the problem is that neither /dev/urandom nor /dev/random on linux do what most people want.

Agreed, but `getrandom(..., 0)` largely does. And thus, Python's `urandom` is also a good fit for very nearly every use case for randomness inside business logic.

> The proper approach for high-volume random numbers is probably to seed a userspace PRNG from /dev/random...

At a high-level, I don't agree. I think that for high-volume random numbers the best solution is nearly always a trustworthy hardware RNG.

est7y ago

it's worth, now everyone is dong that in docker.

incompatible7y ago· 6 in thread

Could you use a similar idea to go after bitcoin keys? If so, you may not be able to crack any particular key, but you could steal the bitcoins from the ones you did crack.

schoen7y ago

https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2018...

(you can find subsequent journalism about the effects of this if you're interested).

There have also been other cryptocurrency PRNG attacks that weren't as high-profile as this issue.

schoen7y ago

I wish I had remembered the "Biased Nonce Sense" paper (which I heard about last week but didn't read!), which someone else mentions downthread at

https://news.ycombinator.com/item?id=18917385

https://eprint.iacr.org/2019/023.pdf

(This is a nonce reuse issue rather than a common-factor vulnerability, but one reason for nonce reuse can also be CSPRNG seeding problems.)

tptacek7y ago

Java SecureRandom: a userland CSPRNG!

1 more reply

sowbug7y ago

tptacek7y ago

https://eprint.iacr.org/2018/749.pdf

New systems should generally avoid RSA, for this reason among several others.

2 more replies

anoncrypto7y ago

See: https://eprint.iacr.org/2019/023.pdf

truantbuick7y ago· 4 in thread

What are the characteristics of those who generated an RSA key sharing a prime factor? Can they be linked back to a few bad CSPRNG implementations?

What are practical steps to be responsible about it?

tptacek7y ago

At the time, there was uncertainty about the root cause, but yes, I think it's been traced back to a set of specific CSPRNGs.

z3t47y ago

Some RNG's use the time of the day in milliseconds as seed, I guess those are easy to brute force. I guess it's all about the size of the seed and it's randomness!?

schoen7y ago

This is probably the most famous issue about that phenomenon:

https://people.eecs.berkeley.edu/~daw/papers/ddj-netscape.ht...

You could say that our understanding of PRNGs has improved a bit since then.

A recent thread about brute-forcing PRNG states in a game:

https://news.ycombinator.com/item?id=18880528

1 more reply

NelsonMinar7y ago

One would hope no RSA key generation software is so stupid as to use that kind of RNG. OTOH, apparently 0.2% of RSA keys were generated by something effectively that dumb.

sublupo7y ago· 4 in thread

How could something like that pass peer review? Their claim is effectively unable to be reproduced.

andreareina7y ago

codezero7y ago

It’s not clear to me that the journal it was published in is peer reviewed. Not all are.

https://www.springer.com/computer/theoretical+computer+scien...

It’s useful to have such places to publish things, but unfortunate that it’s not clear whether it’s peer reviewed.

rincebrain7y ago

A number of CS publications (or non-CS publications with custom software) don't include the source/enough exact parameters/... to reproduce their results.

ric2b7y ago

Maybe the reviewers had access.

sliken7y ago· 4 in thread

Anyone know of a service (https://factorable.net/keycheck.html was discontinued) or code that would help identify particularly weak keys?

sliken7y ago

anomalroil7y ago

Yes, but it will only batch-factor the 1200 keys you'd be feeding it with. For such factorization attacks to work best, you need a dataset as large as possible.

spiridow7y ago

Have you tried keylookup?

https://keylookup.kudelskisecurity.com/

sliken7y ago

Tried a few, doesn't seem to handle more than one key well. Worried that 1500 submissions would cause a DoS. After a few it stopped giving me results saying computations were queued.

sempron647y ago· 3 in thread

This is very interesting. I wonder what key generators were used to create the insecure keys.

schoen7y ago

Scoundreller7y ago

Bottom left of page 9 for RSA and middle left of Page 10 goes through which manufacturers were the mode.

lixtra7y ago

TLDR:

Devices that create TLS and SSH keys just after boot when there is not enough entropy.

1 more reply

lipnitsk7y ago· 2 in thread

Another group did a talk on this at DEF CON 26 last year: https://research.kudelskisecurity.com/2018/08/16/breaking-an...

They analyzed over 340 million keys from the web.

> https://keylookup.kudelskisecurity.com/

tptacek7y ago

I don't think ROCA is related to the vulnerability in the article?

lipnitsk7y ago

Correct, but the main point of their talk and research was focused on Batch GCD processing of hundreds of millions of keys, with ROCA analysis done in addition.

cbhl7y ago· 2 in thread

PuTTYgen, being a Windows application, assumes that a mouse is connected and prompts the user to move the mouse to generate entropy during key creation.

hackcasual7y ago

> "to be blocked until enough entropy is available"

which is fine. The idea that entropy is a consumeable resource is a crypto myth that needs to die.

tlb7y ago

It's not consumable, but it can be in short supply right after boot. So /dev/random should block until there's sufficient entropy, but never after that.

4 more replies

gtsteve7y ago· 2 in thread

I believe Random.org uses an approach similar to this. What is so special about this approach that we couldn't install it as a card in a desktop for example?

amlozano7y ago

The devices people are concerned with are things like embedded devices and sometimes virtual devices.

amenghra7y ago

A zener diode costs $0.01 and gives pretty good randomness. You mix network traffic, user input, other sensors when available and you are gold.

userbinator7y ago· 1 in thread

IMO a bit clickbaity of a title --- I thought there was a recent breakthrough in integer factorisation, when in fact this is really attributable to insufficient randomness.

schoen7y ago

skookumchuck7y ago· 1 in thread

After decades of problems with seeding RNGs, why isn't there a electronic circuit that gets a seed from quantum noise or something like that? The circuit could be part of the CPU or support chips.

tatersolid7y ago

There is. RDRAND for x86/x64 has been in all Intel/AMD for several years.

Most ARM SoC have some equivalent device, but they are nonstandard and require driver support.

Even the TPM chips in basically every desktop, laptop, and server for over a decade have hardware RNG. Again driver support is needed.

1 more reply

phw7y ago

This idea has since been applied to several other domains. Last year we had a look at all archived RSA keys of Tor relays: https://nymity.ch/anomalous-tor-keys/

daedalus20277y ago

hi, I attempted to recreate the algorithm in the post:

https://github.com/daedalus/misc/blob/master/testQuasiLinear...

betolink7y ago

I don't know why this is still a problem these days, let's just use lava lamps for entropy: https://blog.cloudflare.com/lavarand-in-production-the-nitty...

zde7y ago

> But since they both used the same program to generate random prime numbers, there’s a higher-than-random chance that their public keys share a prime factor

j / k navigate · click thread line to collapse