[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DIGEST-MD5 and {nonce,cnonce}



Mihai Ibanescu wrote:

> On Mon, 25 Oct 1999, Bastiaan Bakker wrote:
>
> > Mihai Ibanescu wrote:
> >
> > >                 Hello
> > >
> > >         Another question. How to generate the nonce and cnonce. The draft
> > > says they are implementation dependent, but should have at least 64 bits
> > > of entropy. As far as I know as a security issue, the {c,}nonce should be
> > > unpredictable. So, I am thinking to compute them as a MD5 hash of a struct
> > > timeval returned by gettimeofday. AFAIK, gettimeofday is quite portable
> > > (not POSIX, but SVR4 and BSD 4.3 support it), and it's impossible to
> > > estimate the exact moment (and when I say exact I mean exact by 1e-6
> > > seconds!) when the challenge/response occur. And hashing it should give me
> >
> > The attacker may not know the exact moment, but probably he can guess the
> > value within a range of one second. That range contains about 2^20 values,
> > giving an entropy of 20 bits. (Actually less, because the distribution is not
> > even).
> >
> > >
> > > the needed entropy.
> >
> > Hashing does not add any entropy at all! Allthough the hash result seems
> > unpredictable, it is not. The number of possible results is identical to the
> > number of possible inputs, so you end up with the same 20 bits of entropy.
>
> > >         Anyone has a comment on that?
> > >
> >
> > To be blunt: using gettimeofday to get SECURE random numbers is a really
> > BAD idea! Most operating systems have much better ways to get random numbers
> > (for example /dev/random). These specifically have been developed with
> > security in mind, so use them!
>
>         Yeah, but I am thinking in terms of portability. Is reading from
> /dev/random portable enough? AFAIK, linux supports it, but Solaris does
> not.
>         Maybe I shouldn't think of portability now, and just use
> /dev/random.

I hope you think of both! :-) . OpenLDAP is a multi platform effort, so keeping
things portable is desirable.  Unfortunately there isn't a standard for getting
secure random numbers.
I guess the best way to do that is to design a generic API for obtaining secure
random data (could be just a few calls) and then implement that API for the
platfoms you need first.  That should make it  easy for other people to add proper
implementations for other platforms.  (For really lame OSes you can always
fallback to the gettimeofday, accompanied by lots of warnings about the security
implications.)
IMO good security on some (most?) platforms is better than false security on all
platforms.

Bastiaan