User: Password:
|
|
Subscribe / Log in / New account

Wgetting bytes from random.org

Wgetting bytes from random.org

Posted May 30, 2008 10:12 UTC (Fri) by Duncan (guest, #6647)
In reply to: Wgetting bytes from random.org by pr1268
Parent article: Appropriate sources of entropy

[reposted as the initial submission timed out without confirmation]

Viewing the previous replies to your script posting, I'd say it's a good 
thing you don't increase the entropy count based on that script.  After 
all, you're using an unencrypted http: connection.  As such, it'd be a 
(relatively) simple matter for an attacker, indeed, even a remote 
attacker, to do a MitM attack and substitute whatever he wanted into 
the "response from random.org", which for all you know is anything but.

So yes, in line with the theme of the article, adding the bits shouldn't 
do any harm, as long as you don't count it as added entropy.  However, it 
certainly can't be counted on to /help/ either, since you've really no 
idea where the data is coming from or how predictable it might be, so it's 
a good thing your script does /not/ have the system count it as added 
entropy.

Of course, the first instinct would then be to use an encrypted/ssl 
connection.  However, I believe that'd be defeating the purpose to some 
extent, since creating the encrypted connection will (I assume, I'm no 
authority and really haven't a clue, only a guess) consume entropy in the 
first place.  Assuming it's allowed, one could then grab more entropy from 
random.org than was consumed, but there'd still need to be some entropy 
available initially or the encrypted connection itself would be suspect.

I'm really surprised nobody else noted this in their replies... <shrug>

Duncan


(Log in to post comments)


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds