[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Flaw in commonly used bash random seed method

Matthijs wrote:
> I hope nobody generates passwords with ANY kind of pseudo-RNG.

  This is the main point, anyway.

> By the way, if the random function can only generate numbers between 0
> and 32767, won't 2 bytes be enough then? The algorithm will perform a
> modulo calculation anyway, so 4 bytes won't really add anything. Of
> course, it is much better then only one byte.

  You have made the assumption that the size of the seed matches the size of 
the output values.  In fact, this is highly unlikely to be correct.  In the 
standard C library (on which this implementation is almost certainly based), 
the seed is a full 32-bits even though the output is 15.  That's because the 
seed is the internal state of the generator, and if it only had the same 
number of bits as the output, then the next output from the generator could 
be wholly determined by knowing the current output, and the generator would 
only be able to output 32768 numbers before the sequence repeated.  Think of 
the extra bits as selecting one of 2^17 different permutations of the 2^15 
possible output values; if the generator didn't have more internal state 
than it puts in its output, there would only ever be one constant 
permutation, the seed would choose your starting point at that permutation, 
and each output number you see generated would always be followed by the 
exact same next one every time.

Can't think of a witty .sigline today....