1

In order to generate and store my passwords, I decided to use a tabula recta as described in this article. So I coded a simple C program to create such a table, I wanted to know if it contained a security hole that could be exploited.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(void)
{
    char* alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZ";
    unsigned long i, j;

    /* Print the header */
    printf("   ");
    for (i = 0; i < strlen(alphabet); i++)
        printf(" %c", alphabet[i]);
    printf("\n  +");
    for (i = 0; i < strlen(alphabet); i++)
        printf("--");

    /* Print the rest of the table */
    printf("\n");
    for (i = 0; i < strlen(alphabet); i++) {
        printf("%c | ", alphabet[i]);
        for (j = 0; j < strlen(alphabet); j++)
            printf("%c ", (char) (arc4random_uniform(94) + 33));
        printf("\n");
    }
}

I don't intend to display the table in the standard output but to redirect it (maybe to a script that will make a postscript file out of it and print it on actual paper).

(Example of vulnerability in a previous version of the program) I used the standard input to ask the user to set a seed to be used by the rand function. However, it was then possible to brute force all potential seeds (i.e. unsigned integers) and obtain a dictionary of a reasonable size of potential passwords.

schroeder
  • 125,553
  • 55
  • 289
  • 326
  • The C program does not appear to have any obvious security problems, but the method as a whole suffers from some issues. Are you just asking about the C program? – hft Aug 18 '21 at 19:33
  • Yes I am asking specifically about the C program as [this](https://security.stackexchange.com/questions/13579/using-a-tabula-recta-to-store-passwords?rq=1) questions already addresses the method itself. I added a vulnerability I fixed to the question as an example. Thanks. –  Aug 18 '21 at 19:37
  • i want more factors than just the RNG. Human interaction was a good one, but add the # of microseconds it took them to reply. Possible factor sources: free RAM, system clock time, microseconds it takes to write a stub 4k temp file of random data, fan speeds, CPU temps, # of processes running, uptime, PID, etc. Stringify a bunch of unpredictable numbers like those, concat them up, and hash them. Then you can add bytes of the hash to your RNG values, ex `(((arc4random_uniform(94*128)+hash[j]) % 94) + 33)` – dandavis Aug 19 '21 at 18:04

1 Answers1

0

Is there any security flaw in this C program to generate a tabula recta?

The C program does not appear to have any obvious security problems, but the method as a whole suffers from some issues.

The arc4random generator gives you different sets of integers in the range 33 to 126 every time it runs (at least it does on my system) so there doesn't seem to be any seeding issue. Also seems reasonably uniform (as uniform as arc4random_uniform anyways).

Moreover any intrinsic bias in RC4 (aka arc4) would be pretty hard to exploit given the small amount of data generated and the fact that it is randomly seeded.

hft
  • 4,940
  • 17
  • 32
  • Note that the RC4 (aka arc4) output stream does have a small but meaningful bias (the output bits are not perfectly equally likely to be 0 or 1), which is why it is no longer used used in modern crypto. I'm pretty sure that `arc4random` is just a randomly-keyed RC4 bitstream, and therefore will suffer the same bias. I'd recommend using a different CSPRNG, such as the platform-specific /dev/urandom device file (*nix) or `CryptGenRandom` API (Windows). For such a small data set it's unlikely to matter, though. – CBHacking Aug 18 '21 at 23:34
  • He's seemingly already avoided a worse source of bias (modulo bias) by using *arc4random_uniform* instead of arc4random and a modulo operation. Seems like any intrinsic bias in RC4 would be pretty hard to exploit given the small amount of data generated and the fact that it is randomly seeded. Given that we don't know his platform, I don't think it's worth updating the answer. For example, if he is running on OpenBSD, I think his best option might actually be arc4random. – hft Aug 19 '21 at 00:19
  • 1
    Yeah, that's a valid point. – CBHacking Aug 19 '21 at 00:35
  • Thank you for your answers, I am using both Darwin (macOS) and Linux (Debian) –  Aug 19 '21 at 07:54
  • 1
    I think you are fine as is, but if you want to get a little fancier (or just for fun) you could look into using libsodium or some other well-known library. The libsodium folks discuss the underlying OS RNGs they use for each OS here if you are interested: https://doc.libsodium.org/generating_random_data. – hft Aug 19 '21 at 23:04