lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 4 Apr 2006 14:22:53 +0100
From: "Dave Korn" <davek_throwaway@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Re: Flaw in commonly used bash random seed method


Matthijs wrote:
> I hope nobody generates passwords with ANY kind of pseudo-RNG.

  This is the main point, anyway.

> By the way, if the random function can only generate numbers between 0
> and 32767, won't 2 bytes be enough then? The algorithm will perform a
> modulo calculation anyway, so 4 bytes won't really add anything. Of
> course, it is much better then only one byte.

  You have made the assumption that the size of the seed matches the size of 
the output values.  In fact, this is highly unlikely to be correct.  In the 
standard C library (on which this implementation is almost certainly based), 
the seed is a full 32-bits even though the output is 15.  That's because the 
seed is the internal state of the generator, and if it only had the same 
number of bits as the output, then the next output from the generator could 
be wholly determined by knowing the current output, and the generator would 
only be able to output 32768 numbers before the sequence repeated.  Think of 
the extra bits as selecting one of 2^17 different permutations of the 2^15 
possible output values; if the generator didn't have more internal state 
than it puts in its output, there would only ever be one constant 
permutation, the seed would choose your starting point at that permutation, 
and each output number you see generated would always be followed by the 
exact same next one every time.

    cheers,
      DaveK
-- 
Can't think of a witty .sigline today.... 





Powered by blists - more mailing lists