难道一个真正的随机数,使用ping命令,以伪随机选择的IP地址生成? [英] Could a truly random number be generated using pings to psuedo-randomly selected IP addresses?
问题描述
在第2年比较科学的讲座提出的问题是约在讨论中确定的计算设备产生的数字是不可能的。
The question posed came about during a 2nd Year Comp Science lecture while discussing the impossibility of generating numbers in a deterministic computational device.
这是它并不取决于非商品类硬件的唯一的建议。
This was the only suggestion which didn't depend on non-commodity-class hardware.
随后没有人会放就行了他们的声誉,以明确主张或反对。
Subsequently nobody would put their reputation on the line to argue definitively for or against it.
任何人都照顾到了,为捍卫或反对。如果是这样,如何一提,以一种可能的实现?
Anyone care to make a stand for or against. If so, how about a mention as to a possible implementation?
推荐答案
我会把我代表就行了(至少2点它每downvote)。
I'll put my rep on the line (at least, 2 points of it per downvote).
没有。
在网络上恶意的机器可以使用ARP欺骗(或其他一些技术)拦截您的ping和某些时期后回复他们。然后,他们不仅知道你的随机数,他们将控制他们。
A malicious machine on your network could use ARP spoofing (or a number of other techniques) to intercept your pings and reply to them after certain periods. They would then not only know what your random numbers are, they would control them.
当然,还是有你的本地网络是如何确定的问题,所以它可能不会像所有的,在实践中容易。但因为你从互联网上随机查验IP地址没有得到好处,你还不如从以太网流量得出的熵。
Of course there's still the question of how deterministic your local network is, so it might not be as easy as all that in practice. But since you get no benefit from pinging random IPs on the internet, you might just as well draw entropy from ethernet traffic.
从绘图连接到您的机器设备熵充分研究的原则,并测量的优点和各种设备的缺点和方法可以是如从/ dev目录下的实现被偷/随机的。
Drawing entropy from devices attached to your machine is a well-studied principle, and the pros and cons of various kinds of devices and methods of measuring can be e.g. stolen from the implementation of /dev/random.
[修改:作为一般原则,在安全的基础工作(和显著量的真正的随机数据的唯一现实的需求是与安全相关的),当你必须假设一个极其良好-resourced,确定攻击者会尽一切力量来破坏你的系统。
[Edit: as a general principle, when working in the fundamentals of security (and the only practical needs for significant quantities of truly random data are security-related) you MUST assume that a fantastically well-resourced, determined attacker will do everything in their power to break your system.
有关实际的安全性,可以认为没有人希望你的PGP密钥时失态,满足于对成本进行权衡安全性。但是发明的算法和技术时,你需要给他们最强大的安全保障,他们可能永远可能面对的问题。因为我相信,有人在什么地方,可能需要别人的私钥严重不足做构建套件此位,打败你的建议,我不能接受它作为一个提前结束当前的最佳实践。 AFAIK的/ dev /随机如下相当接近最佳实践产生廉价的家用电脑真正的随机数据]
For practical security, you can assume that nobody wants your PGP key that badly, and settle for a trade-off of security against cost. But when inventing algorithms and techniques, you need to give them the strongest security guarantees that they could ever possibly face. Since I can believe that someone, somewhere, might want someone else's private key badly enough do build this bit of kit to defeat your proposal, I can't accept it as an advance over current best practice. AFAIK /dev/random follows fairly close to best practice for generating truly random data on a cheap home PC]
[另一个修改:它曾建议在评论认为,(1)它是任何真随机数发生器的真实的物理过程可能受到影响,和(2)的安全问题并不适用于这里反正
[Another edit: it has suggested in comments that (1) it is true of any TRNG that the physical process could be influenced, and (2) that security concerns don't apply here anyway.
这个问题的答案(1),它可能在任何实际的硬件做这么多比ping响应时间,并收集更多的熵快,这个建议是一个无解。在CS方面,显然你不能生成一个确定性的机器,这是引发问题的随机数。但随后在CS方面的机器与任何外部输入流具有不确定性的定义,所以,如果我们谈论的平话,我们现在谈的不是确定性的机器。因此,它是有道理的看,真正的机器有真正的投入,并考虑他们作为随机的来源。不管你是什么机器,原料平次不高的可用来源的名单上,这样他们就可以不必担心好的更好的是之前被排除。假设没有颠覆网络是一个比假设你自己的硬件不会颠覆了更大的(和不必要的)的假设。
The answer to (1) is that it's possible on any realistic hardware to do so much better than ping response times, and gather more entropy faster, that this proposal is a non-solution. In CS terms, obviously you can't generate random numbers on a deterministic machine, which is what provoked the question. But then in CS terms a machine with any external input stream is non-deterministic by definition, so if we're talking about ping then we aren't talking about deterministic machines. So it makes sense to look at the real inputs that real machines have, and consider them as sources of randomness. No matter what your machine, raw ping times are not high on the list of sources available, so they can be ruled out before worrying about good the better ones are. Assuming that a network is not subverted is a much bigger (and unnecessary) assumption than assuming that your own hardware is not subverted.
的答案(2)是哲学。如果你不介意你的随机数有,他们可以随心所欲,而不是一个偶然的机会被选择的属性,那么这个提议确定。但是,这不是我所理解的术语随机。仅仅因为一些不一致并不意味着它一定是随机的。
The answer to (2) is philosophical. If you don't mind your random numbers having the property that they can be chosen at whim instead of by chance, then this proposal is OK. But that's not what I understand by the term 'random'. Just because something is inconsistent doesn't mean it's necessarily random.
最后,为解决方案的实施细则的要求:假设你接受ping时间为随机的,你仍然不能使用未经处理的ping时间为RNG输出。你不知道自己的概率分布,他们肯定不是均匀分布的(通常是人们想要什么,从RNG)。
Finally, to address the implementation details of the proposal as requested: assuming you accept ping times as random, you still can't use the unprocessed ping times as RNG output. You don't know their probability distribution, and they certainly aren't uniformly distributed (which is normally what people want from an RNG).
所以,你需要决定你有多少每坪熵位愿意依靠。熵是可以合理地认为它是如何随机是衡量一个随机变量的precisely定义的数学特性。在实际应用中,你会发现一个下界你满意。然后散列一起多个输入,并且将其转换成数字输出的比特小于或等于依赖-时的输入熵的总和。 总计并不一定意味着总和:如果输入是统计独立的,则它是和,但是这是不太可能的坪的情况下,这样的熵估算的部分将是占相关性。这个哈希运算的复杂的大姐姐被称为熵收藏家,并且所有美好的操作系统有一个。
So, you need to decide how many bits of entropy per ping you are willing to rely on. Entropy is a precisely-defined mathematical property of a random variable which can reasonably be considered a measure of how 'random' it actually is. In practice, you find a lower bound you're happy with. Then hash together a number of inputs, and convert that into a number of bits of output less than or equal to the total relied-upon entropy of the inputs. 'Total' doesn't necessarily mean sum: if the inputs are statistically independent then it is the sum, but this is unlikely to be the case for pings, so part of your entropy estimate will be to account for correlation. The sophisticated big sister of this hashing operation is called an 'entropy collector', and all good OSes have one.
如果你使用的数据种子一个PRNG,虽然和PRNG可以使用任意大的种子投入,那么你不必散列,因为它会为你做的。你还是要估计的熵,如果你想知道如何随机的种子值是 - 你可以用最好的PRNG世界,但它的熵是由种子的熵仍然有限]
If you're using the data to seed a PRNG, though, and the PRNG can use arbitrarily large seed input, then you don't have to hash because it will do that for you. You still have to estimate entropy if you want to know how 'random' your seed value was - you can use the best PRNG in the world, but its entropy is still limited by the entropy of the seed.]
这篇关于难道一个真正的随机数,使用ping命令,以伪随机选择的IP地址生成?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
