Analysing PINsentry
2009-03-27 16:54:10
By Tim Brown
Since Ahead Of The Times took their PINsentry apart, I thought it was about time to share my analysis thus far of the numbers it generates:
![[PINsentry.png - that doesn't look very random]](/images/PINsentry.png)
This graph is based upon a sampling of 100 sequential responses to the "Identify" function he mentions in his blog. Since sampling by hand is rather tedious, these samples were gathered over a 2-3 week period whenever I had a spare second or two.
The number generation doesn't appear to be time determinate, since the time elapsed between sampling varied wildly. Over my relatively small sample, the change per response was found to be between ~500 and ~500k with an average change of ~138k. BurpSuite reckons the effective entropy is about 16 bits at a 1% significance level.
I'm struggling to think of applicable threat models but maybe someone else will. Of course, if anyone wants to lend me their PINsentry and card, I'll be happy to give it some further thought ;).
Mood: Intrigued
Music: Nothing playing right now
You are unknown, comment
2009-03-27 20:21:38
Clarification
By Tim Brown
Just to be totally clear, I'm not saying there is anuthing wrong with how PinSentry generates its numbers, this is just a partial observation by myself of how it works. More analysis required.