The UNIX and Linux Forums  

Go Back   The UNIX and Linux Forums > Special Forums > Security
Reload this Page swordfish --- a password generator
.
google unix.com

Forums Register Forum RulesLinksAlbums FAQ Members List Calendar Search Today's Posts Mark Forums Read



Thread: swordfish --- a password generator
View Single Post in the UNIX and Linux Forums - Click on the Thread or Permalink to View Entire Thread -->
  #4 (permalink)  
Old 07-25-2006
Perderabo's Avatar
Perderabo Perderabo is offline Forum Staff  
Unix Daemon
  
 

Join Date: Aug 2001
Location: Ashburn, Virginia
Posts: 9,131
I will post a new copy of swordfish making these changes:

Code:
In the weak_start_tigershark function: the line in green is new.

function weak_start_tigershark
{
        typeset -i  i final duration
        ((final=SECONDS+2))

        while((SECONDS < final)) ; do
                i=$RANDOM
        done

        ((Carry=0))
        ((X0=$$))
        ((X1=RANDOM))
        ((X2=RANDOM))
        ((X3=RANDOM))
        ((DEBUG)) && echo weakstart X3=$X3 X2=$X2 X1=$X1 X0=$X0 Carry=$Carry
        Sum=0
        ((Stigershark=Stigershark+1))
        return 0
}


In the Main section: The lines in red go away:

if [[ $Entropy = $ZeroEntropy ]] ; then
                echo "********************************" >&2
                echo "*                              *" >&2
                echo "*  Warning:  Entropy is zero!  *" >&2
                echo "*                              *" >&2
                echo "********************************" >&2
                echo generating weak entropy... >&2
                weak_start_tigershark
                status_tigershark
                entropy_generator 1 array
                echo  Entropy = ${Entropy}
                NeedMoreEntropy=1
fi

It is too early in the program to call status_tigershark since linecount has not be initialized and also it is sending unsolicted output to stdout. And that "echo Entropy" should have been directed to stderr as well. The remaining error message should be enough to call attention to the fact that swordfish is not operating in an optimum manner. And the user can always turn on debug mode for more output.

Yes, my intent is that swordfish be invoked always in the same directory. swordfish maintains an entropy file which is random data used to initialize the internal random number generator. But the first time the random number generator is called, there won't be an entropy file. So swordfish will initialize the RNG from /dev/urandom or /dev/random. If neither of those is available then swordfish is stuck with no decent source of initial random numbers. So it invokes the internal ksh RANDOM routine to get a few random numbers and it uses its current PID for one more random number. It first spends a couple of seconds burning off some of KSH's random numbers so it is not as bad as it might otherwise be. But it still complains about the situation. This is what is happening to you. Even HP-UX finally implemented /dev/random in 11.23. What OS are you using without a /dev/random?

If you really want to call swordfish from arbitrary directories, you could change the line:
ENTROPYFILE=swordfish.ent
to be an obsolute path to your entropy file. But remember, if other people can read your entropy file, they might be able to predict the passwords it
will generate.