LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The dangers of weak random numbers

The dangers of weak random numbers

Posted Feb 21, 2008 14:36 UTC (Thu) by kirkengaard (subscriber, #15022)
Parent article: The dangers of weak random numbers 

The more I learn, the more I find that it's dangerous to have non-cryptographically-strong
RNGs.  As you say, for anything more than picking which fortune entry to display, i.e. for
anything greater than toy problems, you very quickly rise into areas where exploitation of
predictability is problematic.  People get used to practicing with a "sufficiently random"
idea, and it leaks into implementations in areas where it becomes a problem.  Communication is
an access point; memory mapping is an access point; program input is an access point; data
storage is an access point; data output is an access point.

As to the OpenBSD response, this shouldn't be terribly surprising, given that having a name
for security becomes momentum.  We've seen them brush security problems under the table
before, for love of keeping that "0 holes" statistic alive.

(Log in to post comments)

The dangers of weak random numbers

Posted Feb 21, 2008 17:51 UTC (Thu) by bronson (subscriber, #4806) [Link] 

OK, what RNG would you choose and why?  Please quantify.

I'm just kidding -- a proper answer to this question would require writing a book.  And
endless debate.  And the answer would change every five years.

Ultimately, if you need soemthing done correctly to the last bit, would you really trust all
the libcs in the world?

My only problem with libc's rand() is the name.  It's a flat out lie!  No wonder it's
confusing.  It should have been called "prand" or "living_in_sin_rand" or something.

The dangers of weak random numbers

Posted Feb 22, 2008 12:17 UTC (Fri) by jzbiciak (✭ supporter ✭, #5246) [Link] 

What I don't understand is why hardware RNGs aren't more common.  A number of embedded CPUs
contain them, but not the bulk of mainstream CPUs.  They take up so little silicon compared to
everything else, and provide such high quality results that they really ought to be
ubiquitous. 

Sure, if you introduced them on mainstream CPUs today, it'd still be 5 years before they were
everywhere, so you'd still have to implement other techniques in the meantime.  But, those
could be a bridge to a better overall solution rather than a road to more hand wringing in 5
or 10 years when somebody finds the next weakness.

The dangers of weak random numbers

Posted Feb 22, 2008 2:19 UTC (Fri) by jschrod (subscriber, #1646) [Link] 

This also depends on the purpose of your RNG usage.

Just this week, for example, I needed one to select a pseudo-random set of documents (out of
400,000) to pass them to human reviewers for inspection. For such a task, I don't care at all
if it's cryptographically-strong or not, I simply use libc's rand(). I don't even care that
it's very slow, getting the data for these 400,000 documents out of the database and
generating/formatting them already needed enough time...

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds