[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <e0trvf$krt$1@sea.gmane.org>
Date: Tue, 4 Apr 2006 14:22:53 +0100
From: "Dave Korn" <davek_throwaway@...mail.com>
To: bugtraq@...urityfocus.com
Subject: Re: Flaw in commonly used bash random seed method
Matthijs wrote:
> I hope nobody generates passwords with ANY kind of pseudo-RNG.
This is the main point, anyway.
> By the way, if the random function can only generate numbers between 0
> and 32767, won't 2 bytes be enough then? The algorithm will perform a
> modulo calculation anyway, so 4 bytes won't really add anything. Of
> course, it is much better then only one byte.
You have made the assumption that the size of the seed matches the size of
the output values. In fact, this is highly unlikely to be correct. In the
standard C library (on which this implementation is almost certainly based),
the seed is a full 32-bits even though the output is 15. That's because the
seed is the internal state of the generator, and if it only had the same
number of bits as the output, then the next output from the generator could
be wholly determined by knowing the current output, and the generator would
only be able to output 32768 numbers before the sequence repeated. Think of
the extra bits as selecting one of 2^17 different permutations of the 2^15
possible output values; if the generator didn't have more internal state
than it puts in its output, there would only ever be one constant
permutation, the seed would choose your starting point at that permutation,
and each output number you see generated would always be followed by the
exact same next one every time.
cheers,
DaveK
--
Can't think of a witty .sigline today....
Powered by blists - more mailing lists