0

Is it good to use a mouse movement as a 64-bit random seed for a Pseudorandom Generator like AES in Counter Mode?

Should I only need to get the X and Y coordinates of the mouse movement?

Paŭlo Ebermann
  • 22,656
  • 7
  • 79
  • 117
goldroger
  • 1,727
  • 8
  • 33
  • 41
  • 1
    Why don't you just use the random number generator built into your operating system? – CodesInChaos Jul 26 '12 at 11:01
  • 2
    A 64 bit seed is far too small to be secure. And a single mouse position doesn't even have close to 64 bits of entropy. It doesn't even have 20 bits of entropy. – CodesInChaos Jul 26 '12 at 11:03
  • 1
    @goldroger, accepting answers is beneficial to you and to the person who wrote the answer. When you accept an answer, you get reputation points. Similarly, the person who wrote the answer you accept also gets reputation points. – mikeazo Jul 26 '12 at 11:58

2 Answers2

4

I suppose as far as entropy sources go, you could have chosen much, much worse. In fact a user properly moving his mouse while you collect a bunch of samples and hash them all together to obtain a seed is a pretty good random bit generator. Be conservative in your entropy estimates, for instance I would estimate no more than two bits of entropy per sample if you collect them intelligently (e.g. avoid continuous duplicates and keep a reasonably large sampling rate).

However obviously, a single mouse position is a terrible seed to use, since it doesn't even cover the whole 64-bit space. Your monitor is probably at best 1920x1080, which corresponds to about 2 million possible positions. WEAK.

But while this may be useful to keep in mind, it's probably best if you use an existing CSPRNG for your randomness needs, that way you don't bother the user, and you delegate security to someone else (which may be a good or a bad thing). You should always use the CSPRNG provided by your operating system as it is best placed to collect entropy, whether you like it or not. Under Windows, you can use CryptGenRandom() to access it.

It might seem counterproductive to use another RNG to seed your own, but entropy collection isn't exactly a trivial little thing that you just plug into a program. It has to be carefully and constantly monitored and tracked to keep a good estimate of the available entropy and ensure you don't lose any of it. Sure, making your own ultrafast PRNG using AES in counter mode for your specific needs might be worth it, but you need to consider the limits of your own random generator.

Thomas
  • 7,478
  • 1
  • 31
  • 44
2

There are a few questions here.

  • Are mouse movements a good entropy source? In general no, but there are a number of programs that will ask the user to move the mouse randomly, sample the position at intervals, and use many samples as a source of entropy for random number generation.

  • Can you use mouse movement as the nonce in CTR mode? You shouldn't use a single mouse position as the nonce as there is not enough entropy. You could potentially use a process similar to what I describe in the first part of my answer to build up enough entropy to generate a good nonce, but since most all modern operating systems have a good random number generator built in, why not use that?

  • Is 64 bits enough? This totally depends on other factors of the system. For example, how often do you re-key. Repeating the same nonce with the same key will have devastating results. So, if you re-key every session, 64 bits is plenty. IPSEC ESP uses a 32 bit nonce for AES-CTR. Some of this also depends on how you combine the nonce with the counter. A large nonce concatenated with a small counter has it's benefits and disadvantages. You could use XOR or addition as other methods of combining the two.

  • Do you only need X and Y coordinates? I am not exactly sure what you are proposing here. If you are asking if X,Y coordinates are sufficient for securely generating a nonce, the answer is that it depends on how you do it exactly. Ideally, you should take many samples after requesting that the user move the mouse randomly. Modern PRNGs, however, use many entropy sources for security reasons. You'd be better off using modern PRNGs and specifically, not trying to reinvent the wheel when tried and tested solutions already exist.

Community
  • 1
mikeazo
  • 38,563
  • 8
  • 112
  • 180
  • do you think RNGCryptoServiceProvider Class is effective in generating a random value? – goldroger Jul 26 '12 at 12:12
  • @goldroger, yes. – mikeazo Jul 26 '12 at 12:15
  • is there any proof the RNGCryptoServiceProvider Class is generating a secured random value? – goldroger Jul 26 '12 at 12:18
  • 1
    @goldroger, I am not aware of a security proof. There are some CSPRNGs which are provably secure. I'd be surprised if this particular class uses one of those as they tend to be too slow. The only evidence we have that it is secure is that no one has published a break. This might not sound good enough, but it is the same as what we have for AES, SHA, and many other cryptographic functions available today. – mikeazo Jul 26 '12 at 12:25
  • @goldroger RNGCryptoServiceProvider is far better than anything you might come up with on your own. (This isn't meant as disparagement: it's better than what I'd come up with too.) – Gilles 'SO- stop being evil' Jul 27 '12 at 13:18