[ale] random numbers on different operating systems [was: Re: Best kind of ssh key]
David Tomaschik
ozone at webgroup.org
Tue Sep 25 15:00:41 EDT 2007
Daniel Kahn Gillmor wrote:
> On Tue 2007-09-25 13:57:53 -0400, Jeff Lightner wrote:
>
>
>> I'll have to say that I think it isn't really a good point. While
>> PuTTY does run on Windoze it is not built by M$ and any issues it
>> would have of the nature discussed would be the fault of the folks
>> that wrote it.
>>
>
> Depending on the selected source of randomness, this might or might
> not be true. Most modern operating systems provide a standard way to
> get access to high-entropy data (the Linux kernel provides /dev/random
> for hardware-level random numbers, and /dev/urandom for non-blocking
> pseudo-random numbers, for example). I'm sure that among those OSes
> which provide such an entropy source as a system service, the quality
> of implementation varies.
>
> I have no idea how putty gets its randomness, but if windows offers a
> system-level random number bucket, it would be reasonable for PuTTY to
> generate its random numbers that way. If there was later discovered
> to be a flaw in the Windows RNG (whatever that is), i'd be hard
> pressed to say it was a fault of the PuTTY implementors, just as i'd
> be hard pressed to fault an openSSH implementation for a failure of
> /dev/{u,}random on a Linux system.
>
> Regards,
>
> --dkg
>
That being said, if there was a KNOWN flaw in the windows RNG
implementation, I would fault anyone writing security software that
depends on that. (I'm not saying there was, but it seems like the PuTTY
people were aware of SOME problem).
David
More information about the Ale
mailing list