Beefy Boxes and Bandwidth Generously Provided by pair Networks
Clear questions and runnable code
get the best and fastest answer

Re^4: Your random numbers are not that random (UtS,L)

by dsheroh (Prior)
on Jul 22, 2012 at 09:23 UTC ( #983057=note: print w/replies, xml ) Need Help??

in reply to Re^3: Your random numbers are not that random (UtS,L)
in thread Your random numbers are not that random

A simple denial-of-service vulnerability is far from the worst-case scenario... If the code has any sort of cryptographic functionality, if it generates random passwords, or anything of that sort, then weak random numbers can lead to far worse than that, as they'll give an attacker a much better chance of guessing any randomly-generated values (such as session keys or random passwords).

Of course, if you're doing anything along those lines, I sincerely hope that you'd be using a properly-installed perl rather than one copied onto an SD card, so this is unlikely to be an issue in practice.

  • Comment on Re^4: Your random numbers are not that random (UtS,L)

Replies are listed 'Best First'.
Re^5: Your random numbers are not that random (UtS,L)
by davies (Parson) on Jul 22, 2012 at 11:04 UTC

    I'm not clear on the distinction between "properly installed" and on an SD card. The Pi boots off an SD card, and while it is possible to put stuff onto a USB hard drive, it's rather complicated for the OS stuff. So the system Perl is certainly on a card, as are most things Pi related. All the cards I'm trying to create are bootable and intended to be used to boot Pis. Am I missing something?


    John Davies

Re^5: Your random numbers are not that random (UtS,L)
by Anonymous Monk on Jul 22, 2012 at 19:26 UTC

    I ran on the assumption that it is the random number generator failing only for the hash seeding code -- hence downplaying the problem. I have no idea which RNG the actual rand() function uses, but password/session key generation can be made reasonably secure even with a nonfunctional RNG.

    To the OP: What sort of results do you get if you run perl -le 'print rand() for 1..10' on the faulty boards? If you run it twice, will the same sequence repeat? What about on the working boards?

      but password/session key generation can be made reasonably secure even with a nonfunctional RNG

      Really? How? That is a pretty big assumption.

      How do you protect against predictably generated keys? Say, if the device does not have a hardware clock (and this one doesn't) and the program is started as part of the startup scripts, you end up with a very predictable set of constraints (process id, system time, memory layout, ...).

      While it may take a lot of raw processing power to compute the tables, you may only have to do it once. So, access to a bunch of high performance computers with good GPU's and a week or two of waiting may be all that's needed. Say, a few computers optimized for bitcoin mining. Or an attacker could just rent a botnet for a say or two.

      Even if it's only "session keys" that expire after a few minutes. The encrypted data can be stored and decrypted later. With any luck, the session contains a few passwords or other sensitive information that are valid much longer.

      You see, there is no "reasonable" security. It either works, or it doesn't.

      "I know what i'm doing! Look, what could possibly go wrong? All i have to pull this lever like so, and then press this button here like ArghhhhhaaAaAAAaaagraaaAAaa!!!"
        You see, there is no "reasonable" security. It either works, or it doesn't.

        The 6-pin rim lock and 2 deadbolts on my front door can be defeated by a Challenger 2, but given the likely risks, they form "reasonable security".

        Overstatement of risk is as damaging as understatement.

        With the rise and rise of 'Social' network sites: 'Computers are making people easier to use everyday'
        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.

        The start of some sanity?

        A very predictable set of constraints and a few KB of salt.

Log In?

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://983057]
[holli]: but then you DO give a fuck
[1nickt]: I don;t think beliefs should be down-voted, just behaviours.
[james28909]: im not quite how to explain it any better nick. you evolved from ignorance to intelligence. not the other way. the universe evolves from gas coulds and debris into planets stars and galaxies ect. it doesnt happen any other way. hence it has ....
[james28909]: some kind of logic behind it
[james28909]: and that is also anothe rpoint i made, i think it has to do with perception of the world around you. most people think of evolution on a human scale. why could life evolve on this planet? because this planet evolved in this solar system. and so on.
[holli]: here's something for you to watch, James. I think you will like it
[erix]: for the record: I have not downvoted anyone on that subthread that was my fault
[james28909]: there are all kinds of things that had to happen to let life come to be. but at the same time, life may not be the end goal IF there is any kind of end goal lol
[james28909]: well who is the person who gets to decide which behaviour is worthy of a downvote? a person with their own beliefs? xD
[erix]: teleology -- I've never understood why that was thunk up

How do I use this? | Other CB clients
Other Users?
Others drinking their drinks and smoking their pipes about the Monastery: (14)
As of 2017-12-15 14:31 GMT
Find Nodes?
    Voting Booth?
    What programming language do you hate the most?

    Results (433 votes). Check out past polls.