0

I'm having trouble figuring out a solution to this problem.

Basically what i am trying to do is create random data that can be repeated across multiple machines by a user but is also secure from attackers.

How i'm tackling this problem now is a user enters a 5 digit pin. That 5 digit pin acts as a rng seed. If the user moves to a different machine, they can re enter that 5 digit pin and the rng output will be the same. This part is important for the system.

This works however the entropy of a 5 digit pin isn't enough to be considered a secure seed. I think what you want to see is 128 bits of entropy. An attacker can easily brute force a 5 digit pin.

Any thoughts as to how i can secure this more. "You can't" is an acceptable answer in my mind. If i need to implement something different than a rng i would appreciate some suggestions.

Thank you all

CBaker
  • 219
  • 2
  • 7
  • I'm not quite sure how this question differs from [your previous question](https://security.stackexchange.com/questions/115066/). Right now, it seems to be a duplicate. If you could explain why you actually need to do this, it might be a different question which receives different answers. – tim Feb 20 '16 at 22:10
  • The question isn't different, i tried to re organize the question so it makes a little more sense to the reader. – CBaker Feb 20 '16 at 23:28
  • I think that this question is indeed more clear about what you want to do, but as you said, it's really still a duplicate, so I'm voting to close for now. If you add the use-case you are actually trying to solve instead of asking about the solution you came up with for now, this might be a different question, in which case I would retract my vote/vote to re-open. – tim Feb 20 '16 at 23:37

1 Answers1

0

This is something that's fairly commonly done, and is the foundation for almost all 2nd-factor authentication methods (particularly those which are either device or app-based). The usual route that is taken is to generate a large random seed, and then use one of many methods to sync it (certificates, QR codes, and old fashioned multi-character alphanumerics are the common ones).

Essentially the problem you're trying to tackle is that of transmitting a potentially large key across a potentially insecure channel, and there's a few routes you can go down. If you're wanting to retain the human element, you could go down the route of a passphrase. Anything which translates to a sufficiently large binary number would do the trick, so a 16-character alpha-numeric passphrase would do the trick. 128 bits would be achieved by 8 characters, I think.

Jozef Woods
  • 1,247
  • 8
  • 7