Getting random data
<< Previous page
Table of contents
Next page >>
Getting real-world random data
   Without input from external devices, a computer cannot get random data.  There are methods to generate psuedo-random data and even seed the generator to give different sets of random data.  But most of these systems are very easy to attack.  The data is often predictable or simple attacks can be launched to guess the initializing state of the generator and recreate an entire sessions worth of data.
   Getting truly random data into a computer is practically impossible because outside the computer it's hard to get such data.  But we can get fairly good random data-- good enough so it couldn't be guessed or predictions made about it.
   There are several ways to get random data from the outside world though various input devices: keyboard, mouse, hard drives, microphones, ect.  Probably the easiest method to acquire external random data is from the keyboard.  Everyone has a keyboard and most programs require keys to be pressed during operation of the program.  Therefore, this is a source of random data that may not require any extra steps.
   One could try and have a user press keys at random and use which keys they press as the random data source.  But that is actually rather predictable.  Try typing in a bunch of random characters sometime and look at the frequency of each character typed.  You will likely find certain keys are pressed much more often than others.  So using which keys pressed is not a good source for random data.  However, using time between key presses is a good source for random data.
   There is always delay between key presses when someone types. Even a very good typist can not type at a perfect rate.  We can use this to our advantage.  A simple loop like this can be used to measure the delay between key presses:
  function GetChar : char;
  var RandomData : byte;
       RandomData := 0;
       while not KeyPressed do
         Inc( RandomData );

       { Pass random data to generator }

       GetChar := ReadKey;

   As you see, 'RandomData' is a number that is continuously incremented while waiting for a key to be pressed.  It is an 8-bit number and so it will reset to zero after 256 increments.  This is useful because most computers can run this loop at great speeds and the counter will reset a great number of times before a key press is registered.  When the key stroke is registered, the number in 'RandomData' is anyone's guess-- precisely what we are looking for.  So, using this function will generate 8-bits of random data for every key pressed.  If someone uses a 20 character passphrase, that is 160-bits of good random data generated.
   There are other methods in which to acquire outside world random data such as watching mouse movement.  Hard drive seek times when measured at high precision are a good source of random data.  The system time in milliseconds is a small but hard to predict source of data.  Most modern CPUs have a random number generator built in that is near impossible to predict as well as a register counting CPU clocks-- also hard to predict when a program executes.  Systems needing very strong random data often make use of these sources.  However, for systems simply generating salt values or even encryption keys, the delay between keys system will likely be sufficient.
   Although we can get some good random data into the computer often need a lot more than a few hundred bits of random data.  If encrypting a single file, we might need only enough random data for a single salt value.  But if we are encrypting a batch of files, we need random data for each of the salt values.  Luckily, we have a great number of solutions to aid in getting more out of our limited amount of true random data.
<< Previous page
Table of contents
Next page >>

Copyright ©2001-2005, Punkroy. Bla, bla, bla...