Re: What I meaned with "random precision"!

Discussion in 'C Programming' started by Tom St Denis, Jun 25, 2003.

  1. Tom St Denis

    Tom St Denis Guest

    saf wrote:
    > It's also more secure to use gettimeofday, example:
    > You use your random function for a security reason (crypt function),
    > a hacker/cracker could change the time of the system and execute your
    > program at the same time (seconds), but it would be very more difficulter to
    > execute it at the same microseconds.


    Speaking as an amateur cryptographer this is complete utter bs.

    Tom
     
    Tom St Denis, Jun 25, 2003
    #1
    1. Advertising

  2. Tom St Denis

    Tom St Denis Guest

    saf wrote:
    > "Tom St Denis" <> schrieb im Newsbeitrag
    > news:mpoKa.17039$...
    >
    >>saf wrote:
    >>
    >>>It's also more secure to use gettimeofday, example:
    >>>You use your random function for a security reason (crypt function),
    >>>a hacker/cracker could change the time of the system and execute your
    >>>program at the same time (seconds), but it would be very more

    >
    > difficulter to
    >
    >>>execute it at the same microseconds.

    >>
    >>Speaking as an amateur cryptographer this is complete utter bs.

    >
    >
    > As you said: "amateur"
    > I speak here for professionals....


    Sure ok, you use the timeofday as a good source of entropy.

    Whatever, like I care.

    Tom
     
    Tom St Denis, Jun 25, 2003
    #2
    1. Advertising

  3. .... rode on the steel breeze ...

    (Of course it has meaning, pete. PF only has meaning to the listener,
    which is the beauty of it. But "random precision" is a drunk with a
    shotgun, or Walters on the guitar, or a late nineteenth century lathe
    in the eyes of an early twentieth century machinist.)
     
    Manning Helper, Jun 26, 2003
    #3
  4. Tom St Denis

    Richard Bos Guest

    "saf" <> wrote:

    > "Tom St Denis" <> schrieb im Newsbeitrag
    > news:mpoKa.17039$...
    > > saf wrote:
    > > > It's also more secure to use gettimeofday, example:
    > > > You use your random function for a security reason (crypt function),
    > > > a hacker/cracker could change the time of the system and execute your
    > > > program at the same time (seconds), but it would be very more

    > difficulter to
    > > > execute it at the same microseconds.

    > >
    > > Speaking as an amateur cryptographer this is complete utter bs.

    >
    > As you said: "amateur"
    > I speak here for professionals....


    If you really were a professional, you would know better than to use the
    standard rand() for random numbers with any quality at all.
    If you really were a professional, you'd also know better than to
    recommend a non-ISO function in comp.lang.c.
    If you _really_ were a professional, you'd write grammatical English.

    Richard
     
    Richard Bos, Jun 26, 2003
    #4
  5. [OT?] Re: What I meaned with "random precision"!

    On Thu, 26 Jun 2003, saf wrote:
    >
    > "Tom St Denis" <> schrieb...
    > > >>Whatever, like I care.

    > > I would just read /dev/urandom or the MS CSP [if in windows].

    >
    > > If you just want unique just use a 64-bit counter stored in a DB
    > > somewhere.

    >
    > Ok but you are now agreed with me, that srand(time(0)) is not very
    > recommended? :)


    srand() and rand() in general are not recommended. If you are writing
    a serious utility application, it probably shouldn't have any
    non-deterministic behavior. If you are writing a game, you probably
    will use a function from your library of game-related code.

    Nor can I think of any legitimate reason to use non-determinism (or any
    PRNG more powerful than maybe rand() for quick temporary password
    generation) in a security-related or cryptographic application. If anyone
    has a good example, or references to the (preferably online) literature,
    I'd be much obliged.

    -Arthur
     
    Arthur J. O'Dwyer, Jun 26, 2003
    #5
  6. Tom St Denis

    saf Guest

    "Tom St Denis" <> schrieb im Newsbeitrag
    news:i2qKa.17718$...
    > saf wrote:
    > >>Whatever, like I care.

    > >
    > >
    > >
    > > Here an example:
    > > A web site using the random function to create a session ID number.
    > > In the log files you will get the time only in seconds, when this

    session ID
    > > was created.
    > > It would be easy to reconstruct the sessions ID, to log into another
    > > account.

    >
    > I would just read /dev/urandom or the MS CSP [if in windows].


    But for this you need to open a suplementary file descriptor!
    And if I remember good, the /dev/urandom generator didn't worked correctly
    in FreeBSD.

    >
    > Oh wait, my LTC library provides a portable function [rng_get_bytes()]
    > todo just that.
    >
    > That is provided the ID must be secret.
    >
    > If you just want unique just use a 64-bit counter stored in a DB

    somewhere.

    Ok but you are now agreed with me, that srand(time(0)) is not very
    recommended? :)

    --
    saf
     
    saf, Jun 26, 2003
    #6
  7. Re: [OT?] Re: What I meaned with "random precision"!

    "Arthur J. O'Dwyer" wrote:
    >

    <snip>
    >
    > Nor can I think of any legitimate reason to use non-determinism (or any
    > PRNG more powerful than maybe rand() for quick temporary password
    > generation) in a security-related or cryptographic application.


    Non-determinism is useful in OTP key generation, to give the most
    obvious example.

    PRNGs are, of course, deterministic. :)

    <snip>

    --
    Richard Heathfield :
    "Usenet is a strange place." - Dennis M Ritchie, 29 July 1999.
    C FAQ: http://www.eskimo.com/~scs/C-faq/top.html
    K&R answers, C books, etc: http://users.powernet.co.uk/eton
     
    Richard Heathfield, Jun 26, 2003
    #7
  8. [OT] Re: What I meaned with "random precision"!

    On Thu, 26 Jun 2003, Richard Heathfield wrote:
    >
    > "Arthur J. O'Dwyer" wrote:
    > >
    > > Nor can I think of any legitimate reason to use non-determinism (or any
    > > PRNG more powerful than maybe rand() for quick temporary password
    > > generation) in a security-related or cryptographic application.

    >
    > Non-determinism is useful in OTP key generation, to give the most
    > obvious example.


    Oh. All right.

    ISTR that popular public-key encryption schemes use the key to encrypt
    a one-time-pad key, and then use the OTP key to encrypt the actual
    message. But if this is faster without loss of security, then I
    have forgotten why.

    As this is OT, I'll just look it up myself. :)

    -Arthur
     
    Arthur J. O'Dwyer, Jun 27, 2003
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.

Share This Page