Re: DIGEST-MD5 and {nonce,cnonce}

[Mihai Ibanescu <misa@necomm.ro>]

On Mon, 25 Oct 1999, Bastiaan Bakker wrote:

> Mihai Ibanescu wrote:
> 
> >                 Hello
> >
> >         Another question. How to generate the nonce and cnonce. The draft
> > says they are implementation dependent, but should have at least 64 bits
> > of entropy. As far as I know as a security issue, the {c,}nonce should be
> > unpredictable. So, I am thinking to compute them as a MD5 hash of a struct
> > timeval returned by gettimeofday. AFAIK, gettimeofday is quite portable
> > (not POSIX, but SVR4 and BSD 4.3 support it), and it's impossible to
> > estimate the exact moment (and when I say exact I mean exact by 1e-6
> > seconds!) when the challenge/response occur. And hashing it should give me
> 
> The attacker may not know the exact moment, but probably he can guess the
> value within a range of one second. That range contains about 2^20 values,
> giving an entropy of 20 bits. (Actually less, because the distribution is not
> even).
> 
> >
> > the needed entropy.
> 
> Hashing does not add any entropy at all! Allthough the hash result seems
> unpredictable, it is not. The number of possible results is identical to the
> number of possible inputs, so you end up with the same 20 bits of entropy.

> >         Anyone has a comment on that?
> >
> 
> To be blunt: using gettimeofday to get SECURE random numbers is a really
> BAD idea! Most operating systems have much better ways to get random numbers
> (for example /dev/random). These specifically have been developed with
> security in mind, so use them!

	Yeah, but I am thinking in terms of portability. Is reading from
/dev/random portable enough? AFAIK, linux supports it, but Solaris does
not. 
	Maybe I shouldn't think of portability now, and just use
/dev/random. 

Thanks.
Misa