<
[email protected]> wrote:
You don't need clock-ticks since 1980, not unless you are planning
to run retroactive transactions for 25 years ago. You only need
(at best) clock-ticks since some arbitrary reference point
starting about now.
Several people have suggested using /dev/random or /dev/urandom in Linux.
However, the nature of random number generators and pseudo-
random number generators is that you get repeated values (or at least
you do on the better ones) -- "uniformly distributed random numbers"
are, mathematically, "selection with replacement", and if you can
never generate the same numbers, you have "selection without
replacement" which is not "uniformly distributed". If you use a
However, it should be extremely unlikely to repeat a value for two
consecutive tries, or even within a window small relative to the
range. And for many _P_RNGs impossible, even though they are indeed
uniform over a large (enough) window. Yes, in principle a (T)RNG could
return a thousand consecutive zeros, but in practice one that does so
is broken, not absurdly lucky.
pseudo random-number generator, then you need to keep careful track
of the "seed" that is currently in use, because if you have a crash
(or power outage, or maintenance, or switch to a new machine) then you
need to pick up with exactly the same internal seed you left off at --
if you don't, then you risk accidently re-using random numbers and
thus session-IDs. Unless, that is, one of your components in creating
the session ID is an absolute timestamp at a resolution fine enough
as to be sure to have a different value when your system came back up.
Or just any value which is (reliably) different when you come back up.
I worked on a system that for database transaction-id's, which
similarly need to be globally and permanently unique (for suitable
definitions of global and permanent), included a "crash count" (in
reserved stable=disk storage) which was incremented on a startup that
did not find clean state stored. (If clean state WAS found, it
included the next value for a, in this case, sequential counter.)
But if you don't have that, if you do need to keep complete track
of the current PRNG seed, then you might as well just use a sequential
counter (and hash the constructed session ID together with some
private key.)
Assuming the hash does not interact badly with some (any) structure of
the input. The hashes used in (modern = computer) cryptography like
MD5 and SHA1 (to name the most common and best known) are designed to
produce pseudorandom output for any unique input sequence, of which a
counter is the simplest case. Other (homegrown) hashes do not come
with the same kind of "guarantee". (Research fairly recently, about a
year ago, has found _collision_ attacks on MD5, that is where the
adversary can control the input to the hash, or most of it, but so far
as is known, this does not weaken it for the type of usage here.
Modern ciphers like DES and AES are similarly designed to be
pseudorandom _permutations_ hence reversible of their input = output
space, and thus one now-NIST-approved mode of operation is essentially
to encrypt sequential counter values and use the results for a
conventional (XOR) stream cipher -- subject the limitations for all
such stream ciphers regarding known-plain alteration etc.)
- formerly david.thompson1 || achar(64) || worldnet.att.net