[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] random numbers on different operating systems [was: Re: Best kind of ssh key]
- Subject: [ale] random numbers on different operating systems [was: Re: Best kind of ssh key]
- From: ozone at webgroup.org (David Tomaschik)
- Date: Tue Sep 25 15:00:41 2007
- In-reply-to: <[email protected]>
- References: <1190738275.7146.4.camel@evan> <1190741372.14395.1.camel@localhost> <1190741995.7146.7.camel@evan> <[email protected]> <[email protected]>
Daniel Kahn Gillmor wrote:
> On Tue 2007-09-25 13:57:53 -0400, Jeff Lightner wrote:
>
>
>> I'll have to say that I think it isn't really a good point. While
>> PuTTY does run on Windoze it is not built by M$ and any issues it
>> would have of the nature discussed would be the fault of the folks
>> that wrote it.
>>
>
> Depending on the selected source of randomness, this might or might
> not be true. Most modern operating systems provide a standard way to
> get access to high-entropy data (the Linux kernel provides /dev/random
> for hardware-level random numbers, and /dev/urandom for non-blocking
> pseudo-random numbers, for example). I'm sure that among those OSes
> which provide such an entropy source as a system service, the quality
> of implementation varies.
>
> I have no idea how putty gets its randomness, but if windows offers a
> system-level random number bucket, it would be reasonable for PuTTY to
> generate its random numbers that way. If there was later discovered
> to be a flaw in the Windows RNG (whatever that is), i'd be hard
> pressed to say it was a fault of the PuTTY implementors, just as i'd
> be hard pressed to fault an openSSH implementation for a failure of
> /dev/{u,}random on a Linux system.
>
> Regards,
>
> --dkg
>
That being said, if there was a KNOWN flaw in the windows RNG
implementation, I would fault anyone writing security software that
depends on that. (I'm not saying there was, but it seems like the PuTTY
people were aware of SOME problem).
David