2005-09-18

Finding interesting things to do...

It's been a long time since I've posted here, for the simple reason that I haven't had much in my life change recently. I'm working a contract construction labor job for a company called SpaceSaver installing the first part of a motorized shelving system for UFL.edu that involves a bunch of concrete dust and steel channel. It's a job, but nothing much to really write about.

Thing is that my brain needs a bit of a challenge now. So, unless someone else comes up with something interesting for me to do with my time, I've decided to try to learn C and write a real entropy generator for Windows.

Yeah, I said that too when I first thought about it. Thing is that it is something that is really needed, and it would be nice to be able to hand out something that works, and have some potential resume fodder as a coder.

For those less schooled in the idea of entropy as defined in the computer world, in a nutshell, it's this: whenever you need to encrypt something, you need something that can't be easily guessed by a potential goblin (goblin in this case defined as someone who wants to get your data to do bad stuff to you/for you/with your data) to make a key for the encryption so you can actually get to your data again. Properly encrypted data is worthless to goblins, as it is not feasibly crackable. Please note that I said *feasibly*, not impossible. Given enough time, anything can be guessed by a computer with someone that has enough patience to try all of the potential combinations to find a key.

The problem with the Win32 (I can't say for the Win64) environment is that there's not a good entropy generator built into the OS like there is with most other OS'. Linux, for example, has /dev/rand, a specific device that captures data from user input and a few other sources to make a collection of nice random hash for anything that needs it. Windows doesn't really have anything like this that's open enough for some Open Source developers to use and trust. What is there most Open Source developers don't trust, since it's closed and they don't know how it works, so they can't really be sure that it's quality randomness that it spits out. This is where what I want to fiddle with comes in.

I want to build something that runs as a service in the Win32 environment that generates high quality randomness from a bunch of different sources. Some suggestions have been forwarded by groups on where to get the entropy from (unterminated mic port on a sound card, the standard mouse tracking and clicks, screen shots, a variety of system specific data like disk free/used, memory free/used, install ID, etc), but no one has tried to standardize the entropy generator, usually just hacking something that "works for them". While I applaud the effort, it just seems like reinventing the wheel to me.

I'm not going to claim that I'm any expert on security at all. Far from it. I'd like to learn about it, though. Computer security has been a passing interest for me for a while, and this seems like a way to "dive in feet first", as it were.

The first step in this journey is to learn enough C/C+ to be able to get data from the hardware itself. I'm going to start with just mouse tracking/clicks with a seed of some sort like current disk usage. Initially, I'm just going to dump the data to a file to prove that I can actually do it initially.

The second step is actually making it a service as opposed to a background process. I have no idea how to do this, but I know that other people have done this with stuff they've written, so I'm shure that it can be done.

After that, the hard part comes in: How to secure the entropy from being copied from the running memory that the data is going to be stored in so it can't be used to attempt to brute force the data that was just encrypted with it.

Anyway, enough with boring dissertation. If anyone who reads this can point me to some interesting tutorials or people working on the same thing, I'd be appreciative.