[JDEV] Still another patch ... (seed the rand() function)

Matthias Wimmer m at tthias.net
Mon Oct 20 05:45:27 CDT 2003


Hi Joe!

Joe Hildebrand schrieb am 2003-10-14 10:20:19:
> I'm not a proper member of the security mafia; I just play one on TV, but
> that seems like it would be fine.  As long as the "them" in your sentence is
> the seed for the RNG, not the id itself.  I think it's probably good karma
> for the id to be both relatively unique and hard to predict.

No, I didn't speek about seeding. I meant that the ID that is
transmitted could be just the timestamp with an appended serial number
if there are multiple logins in the same second.

If you seed with time and serial, the seeding value is not much less
predictable than if you just use the timestamp.

I just wanted to tell that the IDs don't have to be unpredictable but
just unique. As soon as a client connects the ID is transmitted in clear
anyway. Even if you know the ID before you can not use the additional
time you have, because what would you do with that time? There is
nothing you can try to break brute force with that ID.
It is really only uniqueness, because if it is not unique and we sniffed
what the client sent as response, we can replay this response if the
same ID comes back.

I spoke with Maqi about that and we thought that it would maybe a
solution to seed the random number generator with /dev/urandom. I expect
that would be fine with you too.


Tot kijk
    Matthias

-- 
For kibibytes see:
http://www.iec.ch/online_news/etech/arch_2003/etech_0503/focus.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
URL: <http://mail.jabber.org/pipermail/jdev/attachments/20031020/34b958ac/attachment-0002.pgp>


More information about the JDev mailing list