oibarnes

1. // TLDR:  Oi, Barnes.  We'll miss ya.  Here's a grimy RNG in your honor.
2. //        node oi.js or paste the below into your favorite browser's JS console.
3. // DEFCON CHALLENGE:  Break this!
4.  
5. function millis()         { return Date.now(); }
6. function flip_coin()      { n=0; then = millis()+1; while(millis()<=then) { n=!n; } return n; }
7. function get_fair_bit()   { while(1) { a=flip_coin(); if(a!=flip_coin()) { return(a); } } }
8. function get_random_byte(){ n=0; bits=8; while(bits--){ n<<=1; n|=get_fair_bit(); } return n; }
9.  
10. report_console = function() { while(1) { console.log(get_random_byte()); }}
11. report_console();
12.  
13.  
14. //Oi 1.0:  The 'Obviously Incorrect' Random Number Generator
15. //         (so go break it!)
16. //   From: Dan Kaminsky
17. // Greetz: Barnaby Jack -- there's a pile of awesome reasons to name this
18. //         Oi, but this one's for you.
19. //   Date:  1-Aug-2013
20. //   Idea:
21. //       A man with one clock knows what time it is.
22. //       A man with two clocks is never sure.
23. //       Or:  Anyone who thinks computers are deterministic
24. //       systems has never tried to write realtime code :)
25. //
26. //       In 2011, Nadia Heninger et al found that at least 1 of 200 RSA
27. //       keys on the Internet were crackable due to random number generators,
28. //       and that generally those RNGs lived on embedded devices.
29. //
30. //       Can we do better?
31. //
32. //       In the real world, when we need to make a random choice, we don't
33. //       go out and buy a hunk of radioactive material and stick a
34. //       Geiger counter next to it.  We just flip a coin.  Coin flipping
35. //       ultimately is just measuring a slow system (how many seconds
36. //       does it take for a coin to rise and fall) against a fast system
37. //       (how many spins, or bit flips, a coin can complete before it
38. //       lands).
39. //
40. //       That can be done in code.  Lets compare janky millisecond timers
41. //       (1000 cycles/sec AT BEST) to CPUs themselves (millions to
42. //       billions of cycles/sec).  And, lets just get one bit, heads
43. //       or tails.
44. //
45. //       Interrupts ain't cycle accurate.
46. //
47. //       Oi, like Dakarand and Matt Blaze's Truerand before it, might very
48. //       well not work. But, you know, this is four lines of JavaScript,
49. //       The Language That Must Never Be Allowed To Do Cryptography
50. //       Ever Because Ew.  So here's a Defcon challenge, in honor of our
51. //       fallen friend.  Lets break this!
52. //
53. //       Pick any hardware, pick any language.  Even be an
54. //       active attacker, doing pesky things to available CPU.
55. //       If you can influence a bit, greater than chance, you
56. //       win!  I'm sure this fails _somewhere_.
57. //
58. //       This isn't a production version of Oi, by any means.  I'm
59. //       only doing simple Von Neumann debiasing (throwing away
60. //       any two 'coin flips' that return the same value). I'm not
61. //       scrambling the output with even a basic hash, allowing
62. //       an active attacker some access to the direct bitstream.
63. //       And there's no PRNG, so speed is actually too slow for
64. //       lots of production uses.  5 seconds in IE6 for 128 bits
65. //       is too much, for instance.
66. //
67. //       But, I wanna give attackers a fighting chance here.  And the
68. //       more an attack falls to a fifth line of code, the more
69. //       obvious it is that our threat models perhaps need adjusting.
70. //
71. //       This'll definitely fail to a cycle accurate emulator, but
72. //       anything else is fair game.
73. //
74. //Execution:  node oi.js, or paste into a JS console in your favorite
75. //            browser.
76. //Note:  You may need a "nicer" emitter of bytes.  Do this.
77. //report_console = function() { console.log(get_random_byte()); setTimeout(report_console, 0); }
78.  
79.  
80. ===
81. Output from ent (unlike diehard/dieharder, ent doesn't emit bad results on small bitstreams):
82.  
83. $ ent rand_js.bin
84. Entropy = 7.999967 bits per byte.
85.  
86. Optimum compression would reduce the size
87. of this 7006068 byte file by 0 percent.
88.  
89. Chi square distribution for 7006068 samples is 316.67, and randomly
90. would exceed this value 0.50 percent of the times.
91.  
92. Arithmetic mean value of data bytes is 127.5564 (127.5 = random).
93. Monte Carlo value for Pi is 3.139320943 (error 0.07 percent).
94. Serial correlation coefficient is -0.000659 (totally uncorrelated = 0.0).
95.  
96. ===
97. Simple packer:
98.  
99. #!/usr/bin/python
100.  
101. import sys
102. import struct
103.  
104.  
105. for line in open(sys.argv[1], "r").xreadlines():
106.   n=struct.pack("B", int(line.rstrip()))
107.   sys.stdout.write(n)