DOS ain't dead

In the hope of getting a good answer. I'm currently thinking about cryptographically safe random number generator for DOS. In the general sense, and not DOSBox specific.

For random seeding, I'd like to hook the kbd interrupt, or maybe some of the auxiliary interrupts for the BIOS, maybe the mouse as well, and/or the clock. If possible, network and other I/O such as serial.

The reason I'm overthinking this, is that I'm currently thinking of command line tools, rather than full screen applications, and that means having a CSPRNG that updates its seed between invocations, if possible.

If I were only thinking of a full screen application, I'd just hook the kbd interrupt, and hope the user types enough to have a good seed.

Implementing Fortuna is the easy part; it's hooking the various "noise sources" and doing that in a way that can be small enough to not interfere with most of the DOS programs out there that require a lot of conventional RAM. Another consideration is to do it in a way that works both on real hardware, and emulators such as DOSBox because someone's going to run it in a basic emulator eventually. And that means not relying on features only present in DOSBox-X or such.

So what strategies are good, which are bad, and what are my options?

> In the hope of getting a good answer. I'm currently thinking about
> cryptographically safe random number generator for DOS. In the general
> sense, and not DOSBox specific.
> [...]
> So what strategies are good, which are bad, and what are my options?

1. If you ditch the necessity of constant reseeding (djb's philosophy of "Fast-key-erasure random-number generators", https://blog.cr.yp.to/20170723-random.html) then just hash the DOS memory and some volatile hardware states with Keccak and pass the output (with tailored size) to your favorite CSPRNG.

2. If you prefer the constant reseeding philosophy, then plagiarize NOISE.SYS:
https://github.com/robrwo/noise.sys - my recommendations for "NOISE.SYS 2.0" core are then:
a. HMAC-DRBG http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-90Ar1.pdf
b. Fortuna https://en.wikipedia.org/wiki/Fortuna_(PRNG)
c. Hybrid https://www.cryptosys.net/rng_algorithms.html

In this version don't sweat too much over sources selection: just use ALL of them. Some of them will be bad under emulation/virtualization, but each and every one of them will add to the final entropy anyways.

In my personal opinion, djb assumptions are too optimistic and I would prefer option 2.

---
echo g=ffff:0|debug>nul

> In this version don't sweat too much over sources selection: just use ALL
> of them. Some of them will be bad under emulation/virtualization, but each
> and every one of them will add to the final entropy anyways.

Thank you.

I'm also thinking of pathological cases, such as this autoexec.bat* in classic DOSBox; or equivalent**.

c:\my\noise.com
openssl genrsa --out bootkey.pem 2048

I have no idea if that's ever going to be "safe" no matter what I do. I am mostly thinking of command line tools, though; tools that make sense both on real hardware and emulators with TCP/IP.

The idea of a noise.sys driver makes a lot of sense to me, and I can use it as a base, or implement my own from scratch. I'm not making any decision about that right now.

>
> In my personal opinion, djb assumptions are too optimistic and I would
> prefer option 2.

So do I. And in particular, I'm trying to avoid the Netscape 1.1, and Debian Random problems. For that I'm striving for best effort and the learning experience.

* Off hand I don't remember if it supports loading .sys device drivers.

** I can neither confirm nor deny porting OpenSSL to DOS without the secretaries approval. And in any case, I'd not use the DJGPP suite.

If you come up with something usable for DJGPP I'd be interested in including it into httpDOS/DOjS/jSH for TLS.

Right now I have a cobbled together pseudo random generator seeding the RNG of mbedTLS (with httpDOS optionally using NOISE.SYS if loaded).

---
Javascript on MS-DOS? Try DOjS https://github.com/SuperIlu/DOjS
Fediverse: @dec_hl@mastodon.social

> If you come up with something usable for DJGPP I'd be interested in
> including it into httpDOS/DOjS/jSH for TLS.
>
> Right now I have a cobbled together pseudo random generator seeding the RNG
> of mbedTLS (with httpDOS optionally using NOISE.SYS if loaded).

If possible, I'd like to make something drop in compatible with noise.sys.

I'm not sure that's feasible, but it's one avenue I'm currently exploring.