[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DIGEST-MD5 and {nonce,cnonce}

To: Bastiaan Bakker <Bastiaan.Bakker@lifeline.nl>
Subject: Re: DIGEST-MD5 and {nonce,cnonce}
From: Mihai Ibanescu <misa@necomm.ro>
Date: Mon, 25 Oct 1999 20:16:46 +0300 (EEST)
Cc: openldap-devel@OpenLDAP.org
In-reply-to: <3814811D.A5BE5D83@lifeline.nl>

On Mon, 25 Oct 1999, Bastiaan Bakker wrote:

> Mihai Ibanescu wrote:
> 
> > On Mon, 25 Oct 1999, Bastiaan Bakker wrote:
> >
> > > Mihai Ibanescu wrote:
> > >
> > > >                 Hello
> > > >
> > > >         Another question. How to generate the nonce and cnonce. The draft
> > > > says they are implementation dependent, but should have at least 64 bits
> > > > of entropy. As far as I know as a security issue, the {c,}nonce should be
> > > > unpredictable. So, I am thinking to compute them as a MD5 hash of a struct
> > > > timeval returned by gettimeofday. AFAIK, gettimeofday is quite portable
> > > > (not POSIX, but SVR4 and BSD 4.3 support it), and it's impossible to
> > > > estimate the exact moment (and when I say exact I mean exact by 1e-6
> > > > seconds!) when the challenge/response occur. And hashing it should give me
> > >
> > > The attacker may not know the exact moment, but probably he can guess the
> > > value within a range of one second. That range contains about 2^20 values,
> > > giving an entropy of 20 bits. (Actually less, because the distribution is not
> > > even).
> > >
> > > >
> > > > the needed entropy.
> > >
> > > Hashing does not add any entropy at all! Allthough the hash result seems
> > > unpredictable, it is not. The number of possible results is identical to the
> > > number of possible inputs, so you end up with the same 20 bits of entropy.
> >
> > > >         Anyone has a comment on that?
> > > >
> > >
> > > To be blunt: using gettimeofday to get SECURE random numbers is a really
> > > BAD idea! Most operating systems have much better ways to get random numbers
> > > (for example /dev/random). These specifically have been developed with
> > > security in mind, so use them!
> >
> >         Yeah, but I am thinking in terms of portability. Is reading from
> > /dev/random portable enough? AFAIK, linux supports it, but Solaris does
> > not.
> >         Maybe I shouldn't think of portability now, and just use
> > /dev/random.
> 
> I hope you think of both! :-) . OpenLDAP is a multi platform effort, so keeping
> things portable is desirable.  Unfortunately there isn't a standard for getting
> secure random numbers.
> I guess the best way to do that is to design a generic API for obtaining secure
> random data (could be just a few calls) and then implement that API for the
> platfoms you need first.  That should make it  easy for other people to add proper
> implementations for other platforms.  (For really lame OSes you can always
> fallback to the gettimeofday, accompanied by lots of warnings about the security
> implications.)
> IMO good security on some (most?) platforms is better than false security on all
> platforms.

	Actually, the idea with the middle-level is not that bad.
Something like

int _random_devrandom()
{
	/* Stuff to read from /dev/random, then MD5 on it */
	return 0;
}

int _random_XXX()
{
	return 0;
}

int _random_gettimeofday()
{
	/* Stuff to MD5 the struct timeval */
	return 0;
}

then an array of functions, dinamically built at compile time, and falling
back through the array.

Cheers,
Misa

Follow-Ups:
- Re: DIGEST-MD5 and {nonce,cnonce}
  - From: Ed Carp <erc@khijol.org>

References:
- Re: DIGEST-MD5 and {nonce,cnonce}
  - From: Bastiaan Bakker <Bastiaan.Bakker@lifeline.nl>

Prev by Date: Re: DIGEST-MD5 and {nonce,cnonce} (fwd)
Next by Date: Re: DIGEST password
Index(es):
- Chronological
- Thread