I need to use the Microsoft CNG API to generate secure random numbers for cryptography.
Am I supposed to generate all the numbers using this API, or just obtain a seed value for another random generator from it?
Any help appreciated!
Thanks.
How many random numbers do you want? There is only a limited amount of entropy in the MS CNG entropy pool. For just a single number/key then it is fine. For multiple keys, then you are better off using the CNG to seed a separate crypto quality PRNG.
There is a description of the MS CNG in section 7.1.3 of RFC 4086
Related
I am looking for a way to generate random numbers in FPGA for use as an IV for cryptographic applications. However, the answers to similar questions i found on Stackoverflow so far generate random numbers from a "Fixed SEED" which is not at all suitable for a cryptographic application. Pointers to two of such answers are as follows:-
Random number generation on Spartan-3E
and
How to generate pseudo random number in FPGA?
Hope to get some helpful answers in this regard from the community!
Thanks
The issue is that you need some random entropy in order to generate a cryptographically secure pseudo number generator (CSPRNG). That generally is obtained by using portions of real-time events from am OS which may include interrupt timing and other hard things that are hard for am attacker to influence.
A FPGA in isolation is not going to have this source of entropy.
There are also several ways to create True Random Numbers Generators such as using multiple free running oscillators.
I'm by far an expert on encryption and therefor am seeking out software deciphering advice. My example bellow deals with hardware, but my question is to seek software advice on whether a software solution is feasible, doable and reasonable.
Background:
On our product, we are considering adding encryption on our RFID keys. Our current firmware does not support this and our hardware guy now wants to upgrade the hardware to add a random number generator chip.
As mentioned above, I'm no expert on encryption, but I always though that a random number generator was required for the ciphering, but not for the decipher?
Additional info: We are using a low power ARM processor (don't know the model at this time).
So my questions are as follows:
Do you really need random numbers to decipher data?
If so, why wouldn't a standard C language library be sufficient?
And lastly,
If we do need random numbers to decipher, can anyone with experience comment of the benefits/disadvantages of having hardware vs. software random numbers? Example: Is the random number portion of a decipher only 1% of the total processing and thus I would not necessarily speed things up?
Thank you in advance!
Your confusion is because in this case the random numbers are not being used for randomness. Many cryptographic algorithms such as RC4 are based on XORing the plaintext with a cryptographically secure pseudorandom random number generator (CSPRNG) initialized with the key as a seed. (pseudorandom means the random number generator uses a algorithm to generate values) The data is then decrypted by again using the CSPRNG with the key and XORing it against the ciphertext.
If so, why wouldn't a standard C language library be sufficient?
No, as almost all rand() implementations use an LCG, which is insecure and not suited for cryptographic purposes.
If we do need random numbers to decipher, can anyone with experience
comment of the benefits/disadvantages of having hardware vs. software
random numbers? Example: Is the random number portion of a decipher
only 1% of the total processing and thus I would not necessarily speed
things up?
As is explained, generating values using the CSPRNG takes up virtually all the computing power required for encryption; the only other step is XORing the CSPRNG with the plaintext/ciphertext. However, I don't think you need a hardware accelerated pseudorandom generator as RC4 only requires 7 cycles a byte on a Pentium and most practical cryptographic algorithms less than 100 cycles per byte. If it needs to encrypt faster than hundreds of megabytes a second, then a hardware accelerated pseudorandom generator would accelerate the encryption significantly.
I am comparing these 3 algorithms, i feel that the RSA takes more time, but i am not able to conclude which is best.
The following are the performance profiler results taken for the 3 methods using the code given by microsoft
All the input strings are Here is some data to encrypt!.
Can any one suggest me, i assert that RSA has performance penalty due to the import parameters method and i think of using the ManagedRijandel Method.
I am using this for a place where a normal encryption [not very strong and slow] is needed but it should be performant.
Kindly give me analysis details from your perspective + suggestions.
Note:
1. it is not better to compare symmetric and asymmetric.. but i need some strong analysis.
Also, my memory profiling shows less memory usage with RSA.
Framework : .Net Framework V4 with C# & VS2010
Kindly suggest.
RSA will be slower than a symmetric cypher like Rijndael or AES. The usual method is to use RSA to encrypt a small key (128 or 256 bits) to send to the destination. The key is then used to encrypt a much larger data file, using AES or Rijndael, which the destination now has the correct key to decrypt at their end.
In short, use RSA for small pieces of data and AES/Rijndael for large pieces of data.
I need to generate random numbers for a lottery game,
the lottery front-end will work in flash AS3 the idea is to run a script that generates 10 random numbers (the winners) and save them in a SQL database
What's a reliable way to create random numbers?
Is js Math.rand() function reliable enough for a lottery?
On wikipedia I found Fortuna a "cryptographically secure pseudorandom number generator" that is inclucded in the Javascript Crypto Library.
Another option is the web site http://www.random.org, it offers a free API to provide random numbers, but what guaranties can it offer?
The javascript Math.rand() is unlikely to be good enough for a lottery, as the specification does not require it to be cryptographically secure. For instance, there are known weaknesses in the generator used in some versions of Chrome.
What you would need would be a cryptographically secure pseudo random number generator (such as blum-blum-shub), and a way of seeding it. You need a good way of seeding it because if anyone can figure out what seed you used, they will be able to generate all the lottery numbers. You would probably want to seed the pseudo-random generator with a genuinely random, rather than a pesudo random number. This would require a hardware random number generator. Random.org supposedly provides a source of genuinely random numbers, however if anyone were to eavesdrop on your connection to random.org, they could still discover your random seed. You might prefer to invest in your own hardware, rather than rely on someone external.
Infact, unless you needed an awful lot of random numbers (much more than 10) there would be little point in using any pseudo random number generator at all. You might as well get all your random numbers from a true, hadware, random number generator.
It seems that random.org is basing its numbers off of static noise, which is pretty random, well more random than the javascript random library, which is probably basing its randomness on some time algorithm.
If the lottery involves money (purchasing 'tickets' and paying prizes) then you may need to be able to demonstrate that you are using 'real' random numbers. In that case you might want to invest in your own hardware for generating random numbers. A quick search reveals a few, for example this one.
Otherwise, either of the two pseudorandom sources would seem adequate to me.
What are the addresses of some websites that offers random numbers from physical sources? I'm looking both for free services and services that cost money.
I have been using http://www.random.org/, and i like it. Generates random numbers from atmospheric noise, and also is capable of generate:
coin flips
dice rolling
card shuffling
among others, take a look at it.
HotBits:
Genuine random numbers, generated by radioactive decay.
HotBits are generated by timing successive pairs of radioactive decays detected by a Geiger-Müller tube interfaced to a computer.
Once the random bytes are delivered to you, they are immediately discarded—the same data will never be sent to any other user and no records are kept of the data at this or any other site.
Secure Server HotBits Request
Sounds like the Quantum Random Bit Generator may be of use ? It relies on photonic emission in semiconductors and the detection thereof by photoelectric effect.
They supply command line and library/API access via various different platforms/frameworks.
www.Random.org
Apparently they use Atmospheric noise to generate they're numbers though I'm not sure if they've published their algorithms.
Many Linux systems have a /dev/random device built in. That provides random numbers from physical sources.
The random number generator gathers
environmental noise from device
drivers and other sources into an
entropy pool
See http://en.wikipedia.org/wiki/Urandom