SHARE
TWEET

oibarnes

dakami Aug 1st, 2013 2,191 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. // TLDR:  Oi, Barnes.  We'll miss ya.  Here's a grimy RNG in your honor.
  2. //        node oi.js or paste the below into your favorite browser's JS console.
  3. // DEFCON CHALLENGE:  Break this!
  4.  
  5. function millis()         { return Date.now(); }
  6. function flip_coin()      { n=0; then = millis()+1; while(millis()<=then) { n=!n; } return n; }
  7. function get_fair_bit()   { while(1) { a=flip_coin(); if(a!=flip_coin()) { return(a); } } }
  8. function get_random_byte(){ n=0; bits=8; while(bits--){ n<<=1; n|=get_fair_bit(); } return n; }
  9.  
  10. report_console = function() { while(1) { console.log(get_random_byte()); }}
  11. report_console();
  12.  
  13.  
  14. //Oi 1.0:  The 'Obviously Incorrect' Random Number Generator
  15. //         (so go break it!)
  16. //   From: Dan Kaminsky
  17. // Greetz: Barnaby Jack -- there's a pile of awesome reasons to name this
  18. //         Oi, but this one's for you.
  19. //   Date:  1-Aug-2013
  20. //   Idea:
  21. //       A man with one clock knows what time it is.
  22. //       A man with two clocks is never sure.
  23. //       Or:  Anyone who thinks computers are deterministic
  24. //       systems has never tried to write realtime code :)
  25. //
  26. //       In 2011, Nadia Heninger et al found that at least 1 of 200 RSA
  27. //       keys on the Internet were crackable due to random number generators,
  28. //       and that generally those RNGs lived on embedded devices.
  29. //
  30. //       Can we do better?
  31. //
  32. //       In the real world, when we need to make a random choice, we don't
  33. //       go out and buy a hunk of radioactive material and stick a
  34. //       Geiger counter next to it.  We just flip a coin.  Coin flipping
  35. //       ultimately is just measuring a slow system (how many seconds
  36. //       does it take for a coin to rise and fall) against a fast system
  37. //       (how many spins, or bit flips, a coin can complete before it
  38. //       lands).
  39. //
  40. //       That can be done in code.  Lets compare janky millisecond timers
  41. //       (1000 cycles/sec AT BEST) to CPUs themselves (millions to
  42. //       billions of cycles/sec).  And, lets just get one bit, heads
  43. //       or tails.
  44. //
  45. //       Interrupts ain't cycle accurate.
  46. //
  47. //       Oi, like Dakarand and Matt Blaze's Truerand before it, might very
  48. //       well not work. But, you know, this is four lines of JavaScript,
  49. //       The Language That Must Never Be Allowed To Do Cryptography
  50. //       Ever Because Ew.  So here's a Defcon challenge, in honor of our
  51. //       fallen friend.  Lets break this!
  52. //
  53. //       Pick any hardware, pick any language.  Even be an
  54. //       active attacker, doing pesky things to available CPU.
  55. //       If you can influence a bit, greater than chance, you
  56. //       win!  I'm sure this fails _somewhere_.
  57. //
  58. //       This isn't a production version of Oi, by any means.  I'm
  59. //       only doing simple Von Neumann debiasing (throwing away
  60. //       any two 'coin flips' that return the same value). I'm not
  61. //       scrambling the output with even a basic hash, allowing
  62. //       an active attacker some access to the direct bitstream.
  63. //       And there's no PRNG, so speed is actually too slow for
  64. //       lots of production uses.  5 seconds in IE6 for 128 bits
  65. //       is too much, for instance.
  66. //
  67. //       But, I wanna give attackers a fighting chance here.  And the
  68. //       more an attack falls to a fifth line of code, the more
  69. //       obvious it is that our threat models perhaps need adjusting.
  70. //
  71. //       This'll definitely fail to a cycle accurate emulator, but
  72. //       anything else is fair game.
  73. //
  74. //Execution:  node oi.js, or paste into a JS console in your favorite
  75. //            browser.
  76. //Note:  You may need a "nicer" emitter of bytes.  Do this.
  77. //report_console = function() { console.log(get_random_byte()); setTimeout(report_console, 0); }
  78.  
  79.  
  80. ===
  81. Output from ent (unlike diehard/dieharder, ent doesn't emit bad results on small bitstreams):
  82.  
  83. $ ent rand_js.bin
  84. Entropy = 7.999967 bits per byte.
  85.  
  86. Optimum compression would reduce the size
  87. of this 7006068 byte file by 0 percent.
  88.  
  89. Chi square distribution for 7006068 samples is 316.67, and randomly
  90. would exceed this value 0.50 percent of the times.
  91.  
  92. Arithmetic mean value of data bytes is 127.5564 (127.5 = random).
  93. Monte Carlo value for Pi is 3.139320943 (error 0.07 percent).
  94. Serial correlation coefficient is -0.000659 (totally uncorrelated = 0.0).
  95.  
  96. ===
  97. Simple packer:
  98.  
  99. #!/usr/bin/python
  100.  
  101. import sys
  102. import struct
  103.  
  104.  
  105. for line in open(sys.argv[1], "r").xreadlines():
  106.   n=struct.pack("B", int(line.rstrip()))
  107.   sys.stdout.write(n)
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top