Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations IamaSherpa on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

?pseudo? RANDOMLY generated session key of 128 or 256 secure ??

Status
Not open for further replies.
Kedas

Kedas

Technical User
Sep 29, 2002
4
BE
Hi,

When you have to create a random public/private key then your keyboard input timing is used to make it really random and not pseudo-randum.
(a computer without 'analog-input' can only create a pseudo-randum number)

Now my question is how can these session key's be secure if they are pseudo random?
or aren't they pseudo random?

And why is there no possibility to disable the use of a session key?
(I know you won't be able to sent to multiple persons then)
When the session key method is hacked then the public/private key has no meaning.

Knowing that a key can not be stronger than a brute force attack I find the below FAQ text rather funny.
A 3000 bit RSA-key or DH-key are equal to a 128 bit IDEA-key!!
meanig a 3000 RSA or DH has at least 3000-128 useless bits.

Hope someone can shine some light on these questions.
Thanks [:)]

Ken

Part of this FAQ: :
"PGP 7.0 introduces a new symmetric encryption option - Twofish, and PGP 7.0.1 additionally introduces AES. IDEA and CAST are 128 bit algorithms that are considered equivalent to 3000* bit RSA and DH keys; Triple DES is 168 bit, with a reported effective key size of 112 bits. Twofish and AES are 256 bit algorithms, and considered equivalent to a 15000 bit RSA or DH key."
 
Sort by date Sort by votes
A Pseudo-Random Sequence is absolutely not safe. But PGP uses time differences between key functions and the Position of the Mouse and that is "real" random.

3000 Bits RSA versus 128 Bit IDEA means you need the for both cases the same computing Performance to decrypt it.

RSA and IDEA are two completely different Methods and no bit is worthless.


hnd
hasso55@yahoo.com

 
Upvote 0 Downvote
Hi hnd,

you wrote:
"A Pseudo-Random Sequence is absolutely not safe. But PGP uses time differences between key functions and the Position of the Mouse and that is "real" random."

You mean ALSO for the session key's ????
(everytime I encrypt someting I don't notice that the computer is using some keystroke timings.)
about the bits:
I know they are not really useless but I meant if you have the same strenght with a lot more bits than it's like they are useless. Just want to point out that the amount of bits isn't saying as much about security as most people think.
 
Upvote 0 Downvote
Let me say: The principles of PGP is a a 128 bit encription key which is generated by random events. This key is used to encrypt the document.
The EncryptionKey is encrypted by a assymetric Method like RSA, Diffie Helman.... and is packed to the encrypted Package.
I did not analize up to now how the random number generator is working in Detail. But it is a Mix between Mousemovements and key-Clicks. With the Mouse the Position is determined and only the least significant Bit is used and put onto a shift register.
I think the Keyclicks are working similar with respect to time differences between two Clicks.

This effects are "real random" in my opinion.

The keypair for assymetric transmission has to be generated only once, and it is used to encrypt a absolutely random Bitsequence. Therefore there is no point to attack this key.

To the security of the keys: As more bits for encryption are used as more safe a encryption will be. Today you can say a 128-Bit Blockchiffre Method is very safe Triple DES and IDEA are certified for confidential Material in a lot of countries. But Blockchiffre Methods can not work for transmissions on public lines, because there is no Way to send the encryption Key to the receiver. This Lack can be cleared by Methods like RSA. Because RSA is based on a totally different Method (Prime Factor decomposition) you need a lot more bits to achieve the same level of security like Blockchiffre. That is the only reason why the Keylength is such high.
The explicite keyclicks to generate the Keypair has to be done only once. The random Number generator to generate an encryption key is running in the Backround and should not Bother you.

hnd
hasso55@yahoo.com

 
Upvote 0 Downvote
Mmmmm, Thank you for the good explanation but I still don't know what I want to know and that is:
What is done to make the session key(s) (DES,IDEA...) 'real random'

I already know what is done to make the RSA key not pseudo-random.
Thanks

I found this: "Stephan Neuhaus analyzes the randomness of session keys in PGP: worthwhile reading!"
on this page : but unfortunately it seems to be a dead/bad link.
 
Upvote 0 Downvote
The sessionkeys are generated in the way i described. Mousemoves and timedifferences in keyclicks.

The keyclicks you are entering during startphase are to get the starting value to generate the assymetric key.

hnd
hasso55@yahoo.com

 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

2
  • Locked
  • Question
Loss of my privacy
Replies
12
Views
1K
Rick998
Rick998
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
541
Johnkite
Johnkite
Shmid
  • Locked
  • Question
Hi We´re thinking of enabling Ac
Replies
0
Views
404
Shmid
Shmid
Tommy_T
  • Locked
  • Question
Sonic wall - Have an issue remotely connectioning VNC and SMB (and AFP) to one of the 2 ISP circuits
Replies
1
Views
465
nnaarrnn
nnaarrnn
texwiz
  • Locked
  • Question
need some help to properly set up, segregate and secure a network with an ASA 5505
Replies
2
Views
151
texwiz
texwiz

Part and Inventory Search

Sponsor

Back
Top