Cryptographic random numbers...

**Pavel Minaev** · Jul 17 '08, 12:55 PM

Re: Cryptographic random numbers...

On Jul 17, 4:41 pm, "almu...@altavi sta.com" <almu...@altavi sta.com>
wrote:

Hi,
>
Hope you can help me with this one. I am trying to createrandom
number between 0 and 1 inclusive of cryptographiuc quality.
The problems is though - I don't know how! Here is what Ihave so far
and I would greatly appreciate any comments/suggestions/code-samples
that you may like to share. Thank you.
>
Al
>
**** CODE AS FOLLOWS ****
>
byte[] random = new byte[2];
RNGCryptoServic eProvider rng = new
RNGCryptoServic eProvider();
rng.GetBytes (random);
>
return Convert.ToDoubl e(random[0]);
>
*** END CODE ***
>
The prblem with the above is that it produces very large numbers. I
nned numbers between 0 and 1.

byte[] random = new byte[8];
RNGCryptoServic eProvider rng = new RNGCryptoServic eProvider();
rng.GetBytes(ra ndom);
return (double)BitConv erter.ToUInt64( random) / UInt64.Max;

**raylopez99** · Jul 17 '08, 12:55 PM

Re: Cryptographic random numbers...

On Jul 17, 5:41 am, "almu...@altavi sta.com" <almu...@altavi sta.com>
wrote:

Hi,
>
Hope you can help me with this one. I am trying to createrandom
number between 0 and 1 inclusive of cryptographiuc quality.
The problems is though - I don't know how! Here is what Ihave so far
and I would greatly appreciate any comments/suggestions/code-samples
that you may like to share. Thank you.
>
Al
>
**** CODE AS FOLLOWS ****
>
byte[] random = new byte[2];
RNGCryptoServic eProvider rng = new
RNGCryptoServic eProvider();
rng.GetBytes (random);
>
return Convert.ToDoubl e(random[0]);
>
*** END CODE ***
>
The prblem with the above is that it produces very large numbers. I
nned numbers between 0 and 1.

What is this class: RNGCryptoServic eProvider? If it's a library
function, just look into the documentation for it.

Another solution: use MSFT's Random() function, and don't worry about
it being of "crypto quality" --for most stuff it's OK, just use the
system clock to reseed it once in a while. Good enough for government
work.

RL

**almurph@altavista.com** · Jul 17 '08, 02:05 PM

Re: Cryptographic random numbers...

On Jul 17, 1:54 pm, raylopez99 <raylope...@yah oo.comwrote:

On Jul 17, 5:41 am, "almu...@altavi sta.com" <almu...@altavi sta.com>
wrote:
>
>
>
>
>

Hi,

>

Hope you can help me with this one. I am trying to create random
number between 0 and 1 inclusive of cryptographiuc quality.
The problems is though - I don't know how! Here is whatI have so far
and I would greatly appreciate any comments/suggestions/code-samples
that you may like to share. Thank you.

>

Al

>

**** CODE AS FOLLOWS ****

>

byte[] random = new byte[2];
RNGCryptoServic eProvider rng = new
RNGCryptoServic eProvider();
rng.GetBytes (random);

>

return Convert.ToDoubl e(random[0]);

>

*** END CODE ***

>

The prblem with the above is that it produces very large numbers. I
nned numbers between 0 and 1.

>
What is this class: RNGCryptoServic eProvider? If it's a library
function, just look into the documentation for it.
>
Another solution: use MSFT's Random() function, and don't worry about
it being of "crypto quality" --for most stuff it's OK, just use the
system clock to reseed it once in a while. Good enough for government
work.
>
RL- Hide quoted text -
>
- Show quoted text -

Thank you both very much for your comments - its working now.
Al.

**Pavel Minaev** · Jul 17 '08, 02:15 PM

Re: Cryptographic random numbers...

On Jul 17, 5:58 pm, "almu...@altavi sta.com" <almu...@altavi sta.com>
wrote:

Thank you both very much for your comments - its working now.

You didn't say which way you went, so here's a warning: if you do
indeed truly need cryptographic RNG (i.e., because your specification
requires you to, for example, if you're generating salt for
encryption), then you should absolutely not use Random (which is a
class, by the way, not a function) - it is very predictable.

**rossum** · Jul 17 '08, 03:15 PM

Re: Cryptographic random numbers...

On Thu, 17 Jul 2008 05:54:33 -0700 (PDT), raylopez99
<raylopez99@yah oo.comwrote:

>Another solution: use MSFT's Random() function, and don't worry about
>it being of "crypto quality" --for most stuff it's OK, just use the
>system clock to reseed it once in a while. Good enough for government
>work.

Absolutely not. Random is NOT of cryptographic quality and should not
be used for cryptographic purposes. The requirements for a
cryptographic RNG are very different from a simple PRNG for
simulations, which is what Random is. See RFC 4056:
http://rfc.net/rfc4086.html for more details.

rossum

**almurph@altavista.com** · Jul 17 '08, 05:35 PM

Re: Cryptographic random numbers...

On Jul 17, 3:08 pm, Pavel Minaev <int...@gmail.c omwrote:

On Jul 17, 5:58 pm, "almu...@altavi sta.com" <almu...@altavi sta.com>
wrote:
>

Thank you both very much for your comments - its working now.

>
You didn't say which way you went, so here's a warning: if you do
indeed truly need cryptographic RNG (i.e., because your specification
requires you to, for example, if you're generating salt for
encryption), then you should absolutely not use Random (which is a
class, by the way, not a function) - it is very predictable.

Sorry I'm using Pavels - it looks like this:

byte[] random = new byte[8];
RNGCryptoServic eProvider rng = new
RNGCryptoServic eProvider();
rng.GetBytes(ra ndom);
return (double)BitConv erter.ToUInt64( random, 0)/
UInt64.MaxValue ;

Am interested to hear more about this salt...Any examples?

**raylopez99** · Jul 17 '08, 08:45 PM

Re: Cryptographic random numbers...

On Jul 17, 8:04 am, rossum <rossu...@coldm ail.comwrote:

On Thu, 17 Jul 2008 05:54:33 -0700 (PDT), raylopez99
>
<raylope...@yah oo.comwrote:

Another solution: use MSFT's Random() function, and don't worry about
it being of "crypto quality" --for most stuff it's OK, just use the
system clock to reseed it once in a while. Good enough for government
work.

>
Absolutely not. Random is NOT of cryptographic quality and should not
be used for cryptographic purposes. The requirements for a
cryptographic RNG are very different from a simple PRNG for
simulations, which is what Random is. See RFC 4056:http://rfc.net/rfc4086.htmlfor more details.
>

Whatever. Like Linus Torvalds said recently, the security folks have
their pants all tied in a knot over the smallest details. I'm sure
you're right, but if you reseed Random for the most part it gives you
pretty random numbers it seems to me.

And in fact reading the link you sent indicates that Microsoft does
have something that gets seeds from buffer memory something something
and produces near crypto quality randomness, which I guess is what the
OP was talking about: "Microsoft' s recommendation to users of the
widely deployed Windows operating system is generally to use the
CryptGenRandom pseudo-random number generation call with the CryptAPI
cryptographic service provider. "

RL

**Jon Skeet [C# MVP]** · Jul 17 '08, 09:15 PM

Re: Cryptographic random numbers...

raylopez99 <raylopez99@yah oo.comwrote:

Absolutely not. Random is NOT of cryptographic quality and should not
be used for cryptographic purposes. The requirements for a
cryptographic RNG are very different from a simple PRNG for
simulations, which is what Random is. See RFC 4056:
http://rfc.net/rfc4086.htmlfor more details.

Whatever. Like Linus Torvalds said recently, the security folks have
their pants all tied in a knot over the smallest details. I'm sure
you're right, but if you reseed Random for the most part it gives you
pretty random numbers it seems to me.

And this is why people who aren't trained in security (including
myself) shouldn't be trusted to come up with secure algorithms.

System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptograp hic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?

--
Jon Skeet - <skeet@pobox.co m>
Web site: http://www.pobox.com/~skeet
Blog: http://www.msmvps.com/jon_skeet
C# in Depth: http://csharpindepth.com

**rossum** · Jul 18 '08, 12:05 AM

Re: Cryptographic random numbers...

On Thu, 17 Jul 2008 13:38:04 -0700 (PDT), raylopez99
<raylopez99@yah oo.comwrote:

>On Jul 17, 8:04 am, rossum <rossu...@coldm ail.comwrote:

>On Thu, 17 Jul 2008 05:54:33 -0700 (PDT), raylopez99
>>
><raylope...@ya hoo.comwrote:

>Another solution: use MSFT's Random() function, and don't worry about
>it being of "crypto quality" --for most stuff it's OK, just use the
>system clock to reseed it once in a while. Good enough for government
>work.

>>
>Absolutely not. Random is NOT of cryptographic quality and should not
>be used for cryptographic purposes. The requirements for a
>cryptographi c RNG are very different from a simple PRNG for
>simulations, which is what Random is. See RFC 4056:http://rfc.net/rfc4086.htmlfor more details.
>>

>
>Whatever. Like Linus Torvalds said recently, the security folks have
>their pants all tied in a knot over the smallest details. I'm sure
>you're right, but if you reseed Random for the most part it gives you
>pretty random numbers it seems to me.

Read Microsoft's own documentation for Random: "To generate a
cryptographical ly secure random number suitable for creating a random
password, for example, use a class derived from
System.Security .Cryptography.R andomNumberGene rator such as
System.Security .Cryptography.R NGCryptoService Provider."

Reseeding Random can only take an Int32 as parameter. 32 bits is not
enough for most security purposes, and can be brute-forced reasonably
easily.

>
>And in fact reading the link you sent indicates that Microsoft does
>have something that gets seeds from buffer memory something something
>and produces near crypto quality randomness, which I guess is what the
>OP was talking about: "Microsoft' s recommendation to users of the
>widely deployed Windows operating system is generally to use the
>CryptGenRand om pseudo-random number generation call with the CryptAPI
>cryptographi c service provider. "

Which is precisely what the default RNGCryptoServic eProvider does. To
quote from RFC 4068, section 7.1.3:
"Users of Windows ".NET" will probably find it easier to use
the RNGCryptoServic eProvider.GetBy tes method interface."
Indeed.

rossum

>
>RL

**rossum** · Jul 18 '08, 12:15 AM

Re: Cryptographic random numbers...

On Thu, 17 Jul 2008 10:29:12 -0700 (PDT), "almurph@altavi sta.com"
<almurph@altavi sta.comwrote:

>On Jul 17, 3:08 pm, Pavel Minaev <int...@gmail.c omwrote:

>On Jul 17, 5:58 pm, "almu...@altavi sta.com" <almu...@altavi sta.com>
>wrote:
>>

Thank you both very much for your comments - its working now.

>>
>You didn't say which way you went, so here's a warning: if you do
>indeed truly need cryptographic RNG (i.e., because your specification
>requires you to, for example, if you're generating salt for
>encryption), then you should absolutely not use Random (which is a
>class, by the way, not a function) - it is very predictable.

>
>Sorry I'm using Pavels - it looks like this:
>
byte[] random = new byte[8];
RNGCryptoServic eProvider rng = new
>RNGCryptoServi ceProvider();
rng.GetBytes(ra ndom);
return (double)BitConv erter.ToUInt64( random, 0)/
>UInt64.MaxValu e ;
>
>Am interested to hear more about this salt...Any examples?

See http://en.wikipedia.org/wiki/Salt_(cryptography)

It is used to stop an attacker precalculating password hashes from a
dictionary. See also Key Strengthening:
http://en.wikipedia.org/wiki/Key_strengthening for the use of salt in
a key stretching algorithm.

rossum

**raylopez99** · Jul 18 '08, 09:55 AM

Re: Cryptographic random numbers...

On Jul 17, 2:02 pm, Jon Skeet [C# MVP] <sk...@pobox.co mwrote:

System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptograp hic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?
>
>

Jon--Because nobody will ever know. If he codes using Random() and
uses a scrambler on his object code, how can you test to see if the
RNG is weak or not? Now I'm sure there's some specialized hardware
out there to do so, but as a practical matter nobody will ever find
out and even care. Worse case somebody finds out and you issue a
patch, and in the meantime have made money from pushing your product
out the door first, before your competitors do.

Rapid coding it's called. You can do a "CASE" analysis, lots of
flowcharting of software architecture using UML and state diagrams,
lots of discussion about program flow, 'best coding' practices for a
"Level 3" organization with a team of PhD programmers, or, you can
just sit down by yourself and by the seat of your pants bash out some
code on your keyboard over a couple of weeks, with the architecture
done on-the-fly and 'in your mind's eye'. Use Bangladore to help you
on modular stuff you can plug in later. Meanwhile you've told your
customers that your alpha code is in final testing and will be shipped
soon--you collect the money, ship the product and use some of the
revenue to issue patches and fix bugs later.

Without mentioning names, that's what Microsoft and other large
organizations have done or allegedly could have done, and if it's good
enough for MSFT, it's good enuf 4 me.

RL

**almurph@altavista.com** · Jul 18 '08, 10:25 AM

Re: Cryptographic random numbers...

On Jul 18, 10:50 am, raylopez99 <raylope...@yah oo.comwrote:

On Jul 17, 2:02 pm, Jon Skeet [C# MVP] <sk...@pobox.co mwrote:
>

System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptograp hic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?

>
Jon--Because nobody will ever know. If he codes using Random() and
uses a scrambler on his object code, how can you test to see if the
RNG is weak or not? Now I'm sure there's some specialized hardware
out there to do so, but as a practical matter nobody will ever find
out and even care. Worse case somebody finds out and you issue a
patch, and in the meantime have made money from pushing your product
out the door first, before your competitors do.
>
Rapid coding it's called. You can do a "CASE" analysis, lots of
flowcharting of software architecture using UML and state diagrams,
lots of discussion about program flow, 'best coding' practices for a
"Level 3" organization with a team of PhD programmers, or, you can
just sit down by yourself and by the seat of your pants bash out some
code on your keyboard over a couple of weeks, with the architecture
done on-the-fly and 'in your mind's eye'. Use Bangladore to help you
on modular stuff you can plug in later. Meanwhile you've told your
customers that your alpha code is in final testing and will be shipped
soon--you collect the money, ship the product and use some of the
revenue to issue patches and fix bugs later.
>
Without mentioning names, that's what Microsoft and other large
organizations have done or allegedly could have done, and if it's good
enough for MSFT, it's good enuf 4 me.
>
RL

On a point of information there is a test for random sequence called
the chi-squared statistic cf.

Algorithm Implementation/Pseudorandom Numbers/Chi-Square Test - Wikibooks, open books for an open world

http://en.wikibooks.org/wiki/Algorithm_implementation/Pseudorandom_Numbers/Chi-Square_Test

**Jon Skeet [C# MVP]** · Jul 18 '08, 10:35 AM

Re: Cryptographic random numbers...

On Jul 18, 10:50 am, raylopez99 <raylope...@yah oo.comwrote:

System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptograp hic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?

>
Jon--Because nobody will ever know. If he codes using Random() and
uses a scrambler on his object code, how can you test to see if the
RNG is weak or not? Now I'm sure there's some specialized hardware
out there to do so, but as a practical matter nobody will ever find
out and even care. Worse case somebody finds out and you issue a
patch, and in the meantime have made money from pushing your product
out the door first, before your competitors do.

If the code has reached client machines, they can very easily find out
that he's using System.Random. Ever used Reflector? It not, try it.

Rapid coding it's called.

In this case it's called *sloppy* coding. Deliberately using something
you know to be weak, despite a declared requirement for a
cryptographical ly strong random number generator is just sloppy -
particularly when the alternative is readily available.

I'm all for agile coding and doing the simplest possible thing that
meets the requirements - but meeting the requirements is the key here.
Using System.Random *doesn't* meet the stated requirements.

Jon

**rossum** · Jul 18 '08, 04:55 PM

Re: Cryptographic random numbers...

On Fri, 18 Jul 2008 02:50:07 -0700 (PDT), raylopez99
<raylopez99@yah oo.comwrote:

>On Jul 17, 2:02 pm, Jon Skeet [C# MVP] <sk...@pobox.co mwrote:
>

>System.Rando m *isn't* sufficiently random for security purposes. The OP
>explicitly said he wanted a "cryptograp hic quality" random number
>generator - why would you recommend something which goes directly
>against what is asked for?
>>
>>

>
>Jon--Because nobody will ever know.

The OP stated that he needed cryptographic quality random numbers. In
cryptogrqaphy you need to think in terms of the person who you are
defending against - "the attacker." Anything that the attacker can
reasonably do they are assumed to be able to do and so must be guarded
against. In this case the attacker can be reasonably expected to know
that Random is being used.

>If he codes using Random() and uses a scrambler on his object code,
>how can you test to see if the RNG is weak or not?

The attacker can descramble the code, use Reflection, check links into
the .NET libraries or just look at the assembler actually being run on
the CPU. Random uses a known algorithm from Knuth so the attacker can
be expected to recognise it.

>Now I'm sure there's some specialized hardware
>out there to do so,

There is, both hardware and software. The attacker can be assumed to
have it and to be able to use it correctly.

>but as a practical matter nobody will ever find
>out and even care.

The attacker will find out and will most definitely care.

>Worse case somebody finds out and you issue a
>patch, and in the meantime have made money from pushing your product
>out the door first, before your competitors do.

And the people who suffered a loss because your insecure database
allowed their credit card details to be hacked sue you for punitive
damages. Their loss is a direct consequence of your sloppy security
design. How much money would that lose you? Bad security increases
some risks, including risks to the bottom line.

>
>Rapid coding it's called.

It is also called sloppy security.

>
>Without mentioning names, that's what Microsoft and other large
>organization s have done or allegedly could have done, and if it's good
>enough for MSFT, it's good enuf 4 me.

So you are still using the original crackable version of WEP then?
According to Wikipedia that time to crack is now down to a matter of
minutes.

rossum

>
>RL

Cryptographic random numbers...

Cryptographic random numbers...

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment