User: Password:
|
|
Subscribe / Log in / New account

The dangers of weak random numbers

The dangers of weak random numbers

Posted Feb 21, 2008 5:34 UTC (Thu) by cventers (guest, #31465)
Parent article: The dangers of weak random numbers

One place I've seen atrocious PRNG use is in web applications. Web app 
developers often roll their own salt generators, or session token 
generators, or random password generators... then rely on a libc rand 
seeded by the process ID, for example, to generate far too little entropy 
with far too little quality.

One of the things I find unfortunate is when a particular class of 
security problem (say, XSRF) is well known but ignored by so many 
developers. Especially when you find those problems on a library level.


(Log in to post comments)

The dangers of weak random numbers

Posted Feb 21, 2008 7:48 UTC (Thu) by nix (subscriber, #2304) [Link]

One of my past workplaces used a random number generator seeded by an 
unintentional buffer read-overrun for years before anyone noticed. (Given 
that it was also deriving AES keys from that excellent source of secrets, 
getuid(), expecting any sort of randomness tests to be performed on the 
RNG was perhaps expecting too much.)

The dangers of weak random numbers

Posted Feb 21, 2008 14:38 UTC (Thu) by liljencrantz (guest, #28458) [Link]

In all fairness, I think one should mostly fault the libc developers for implementing a shoddy
default rng, not the web developers for using it. It is in my opinion a reasonable assumption
(Though I know it is often not a correct assumption) that the platforms default rng should
generate numbers with reasonable entropy.

The dangers of weak random numbers

Posted Feb 21, 2008 17:28 UTC (Thu) by bronson (subscriber, #4806) [Link]

I disagree.  Cryptographically strong random numbers take a lot more CPU time to compute
(assuming you don't have a HW accelerator).  Since the vast majority of C programs don't need
strong random numbers anyway, why should we waste all that energy?

In addition, creating strong random numbers is hard!  The proper algorithm strongly depends on
the problem you're trying to solve.  The libc developers can't possibly know why you want
these numbers so they punted.  And I think they were right.  Anyone who believes that there is
a one-size-fits-all PRNG algorithm has never tried to write one.  :)

The dangers of weak random numbers

Posted Feb 21, 2008 21:12 UTC (Thu) by liljencrantz (guest, #28458) [Link]

It's true that the libc developers can't know why you want a random number, it's definitely
also true that one size does not fit all. But the libc implementation is the worst kind of
compromise as it is neither fast nor secure. If you want lots of numbers, you will get a lot
better performance out of e.g. Mersenne twister, and if you want something even remotely
secure, you need to use a special purpose cryptographic algorithm. 

As near as I can tell, the only situation you would ever want to use the libc random number
generator is when you really don't care about either performace or security. Couldn't they at
least have done one of the two?

The dangers of weak random numbers

Posted Feb 21, 2008 23:06 UTC (Thu) by bronson (subscriber, #4806) [Link]

That's a good point.  I can't think of a single thing the libc implementation excels at.  I
understand why they punted on security, but that's no reason to punt on everything!


Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds