randomness of identifiers

This is merely a historical archive of years 2008-2021, before the migration to mailman3.

A maintained and still updated list archive can be found at https://lists.osmocom.org/hyperkitty/list/OpenBSC@lists.osmocom.org/.

Harald Welte laforge at gnumonks.org
Wed Sep 27 11:57:43 UTC 2017 

Dear all,

Max has been pushing https://gerrit.osmocom.org/#/c/1526 for quite some
time, but there was still no conclusion in its review.

I guess after more than 8 months in limbo, it's about time we decide how
to move ahead with this.

In general, we *want* secure/safe identifiers like TMSIs that are not
easy to predict by an attacker.  Using rand() or some other
pseudo-random generator with a predictible seed like the time of the
process start is probably not the best choice here.

Using the rather strong entropy pool of /dev/urandom or getrandom()
is apparently not a good choice either: We can exhaust the entropy pool
at whch point we would have to  block/wait, which we of course cannot in
our architecture.

So what do we do?  I think we first have to differentiate on the type of
randomness needed.  Is it a random identifier like TMSI? Is it a random
challenge used in cryptographic authentication?  Is it random data used
for a key?  Those require different levels of randomness.

For TMSI allocation, my "cryptographic gut feeling"[tm] is that something
like rand() or any other pseudo-random generator of significantly large
period is sufficient *if* it is seeded by a non-predictable value.  So
something like seeding with getrandom() result should be fine?

For random challenges in authentiation I would probably go for
direct use of urandom / getrandom().  If the entropy is exhausted, the
quality of the random numbers will get lower, but getrandom() will
always return up t 256 bytes.

For long-term stable key (Ki/Op) generation for provisioning SIM cards +
populating a HLR, I would certainly opt for using stronger randomness
sources.  However, I don't think we actually implement that anywhere, do
we?

What do you guys think?  Is there somebody on this list more
cryptographically qualified to give us proper guidance?  If you know
somebody skilled who might want to help but is not on this list, would
you invite them to join this discussion?

-- 
- Harald Welte <laforge at gnumonks.org>           http://laforge.gnumonks.org/
============================================================================
"Privacy in residential applications is a desirable marketing option."
                                                  (ETSI EN 300 175-7 Ch. A6)

More information about the OpenBSC mailing list