LINUX.IE, website of the Irish Linux Users' Group
Tux rules!

   
Home
New Users
Articles
Download
Projects
Community
Vendors

  Print Version
Email to...
 
Archives:


planetILUG

Recent News

News Archive


Join the
ILUG
on FaceBook


Join the
ILUG
on LinkedIn


Join the
ILUG SETI
Group



















 
 :: Mailing Lists

[ILUG] serious Debian/Ubuntu security hole found

[ILUG] serious Debian/Ubuntu security hole found

paul at clubi.ie paul at clubi.ie
Thu May 15 14:40:10 IST 2008 

On Thu, 15 May 2008, Timothy Murphy wrote:

> My impression is that while random number generation based on 
> quantum theory sounds a nice idea, in practice a mathematical 
> pseudo-random number generator is probably much more reliable, and 
> certainly much simpler.
>
> By definition, it is impossible to test if a source is random; What 
> reason do you have to suppose your "Zener approach" (which I didn't 
> really understand) produces random output?
>
> I haven't seen any evidence that intelligently designed 
> pseudo-random number generators have ever caused any problem. 
> Personally, I'd trust Knuth much more than any DIY device.

Trust a mathematician to put their faith in the abstract over the 
physical ;).

I don't have my Knuth handy to be more specific, but my (terribly 
bad) memory of it is:

- He details some of the tests that exist to detect patterns and help
   detect non-random data.*

- The Knuth work describes PRNG techniques that are seriously old
   (50s or 60s) - I've got this nagging voice in my head that says
   that those PRNGs, that were once state-of-the-art, have long been
   found to have weaknesses, but I dont know for certain.

If we can't determine randonmess, why should trust the output of a 
man-made algorithm that /seems/ random over measurements of physical 
processes that we apparently have good reason to believe /are/ 
random?**

Just evolutionary advances in one field would be enough to render 
those PRNGs flawed, while it would need major, revolutionary advances 
in the other to undermine the empirical, physical-process based RNGs.

???

*  And methinks all PRNGs, such as the openssl one, should constantly
    self-test their output in this way. Perhaps then it wouldn't have
    taken nearly 2 years to detect that Debian was shipping a getpid()
    based PRNG..

** The engineering to measure things seems less hard than the math,
    to me anyway.

regards,
-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
An engineer is someone who does list processing in FORTRAN.

More information about the ILUG mailing list
Read this without the formatting.
                                                                                                    

  

Hosted by HEAnet


 Maintained by the ILUG website team. The aim of Linux.ie is to support and help commercial and private users of Linux in Ireland. You can display ILUG news in your own webpages, read backend information to find out how. Networking services kindly provided by HEAnet, server kindly donated by Dell. Linux is a trademark of Linus Torvalds, used with permission. No penguins were harmed in the production or maintenance of this highly praised website. Looking for the Indian Linux Users' Group? Try here. If you've read all this and aren't a lawyer: you should be!
RSS Version
Powered by Dell