[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DIGEST-MD5 and {nonce,cnonce}



Mihai Ibanescu wrote:

>                 Hello
>
>         Another question. How to generate the nonce and cnonce. The draft
> says they are implementation dependent, but should have at least 64 bits
> of entropy. As far as I know as a security issue, the {c,}nonce should be
> unpredictable. So, I am thinking to compute them as a MD5 hash of a struct
> timeval returned by gettimeofday. AFAIK, gettimeofday is quite portable
> (not POSIX, but SVR4 and BSD 4.3 support it), and it's impossible to
> estimate the exact moment (and when I say exact I mean exact by 1e-6
> seconds!) when the challenge/response occur. And hashing it should give me

The attacker may not know the exact moment, but probably he can guess the
value within a range of one second. That range contains about 2^20 values,
giving an entropy of 20 bits. (Actually less, because the distribution is not
even).

>
> the needed entropy.

Hashing does not add any entropy at all! Allthough the hash result seems
unpredictable, it is not. The number of possible results is identical to the
number of possible inputs, so you end up with the same 20 bits of entropy.

>
>         Anyone has a comment on that?
>

To be blunt: using gettimeofday to get SECURE random numbers is a really
BAD idea! Most operating systems have much better ways to get random numbers
(for example /dev/random). These specifically have been developed with
security in mind, so use them!

Regards,

Bastiaan Bakker