Hosting Provided By

RE: Secure random ID generation

From: Ryan M Harris <rmharris(at)acdinc.net>
Date: Tue Dec 03 2002 - 15:17:42 EST

Yeah, the seeding is done in a separate section of code... I should have included that in the email. Sorry about that. I will probably use a yarrow derivative for the PRNG. Shortly after I posted the message I came across the "mersenne twister" home page which stated that it was not secure. I have since read that it "may be" which is why I did not withdraw the previous post.

Ryan

-----Original Message-----
From: David Wagner [mailto:daw@mozart.cs.berkeley.edu] Sent: Tuesday, December 03, 2002 12:26 PM To: secprog@securityfocus.com
Subject: Re: Secure random ID generation

Ryan M Harris wrote:
>I have a batch of code that is to be used for secure session
identifiers
>in a network security system, can you tell me if this formula is good

No, it is not. Your PRNG ("Mersenne twister") is not cryptographically strong. And you never took any care to ensure that the PRNG was seeded, which is a very common failure mode.

You can find some information on how to do this right at http://www.cs.berkeley.edu/~daw/rnd/index.html Received on Tue Dec 3 16:34:23 2002

This message: [ Message body ]
Next message: Valdis.Kletnieks(at)vt.edu: "Re: Secure random ID generation"
In reply to: David Wagner: "Re: Secure random ID generation"
In reply to Ryan M Harris: "RE: Secure random ID generation"
Next in thread: Alex Russell: "Re: Secure random ID generation"

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ] [ By messages with attachments ]

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:02:44 EDT