Hello all,
I have a batch of code that is to be used for secure session identifiers
in a network security system, can you tell me if this formula is good
for that type of environment. Assume that the seed is taken from
various real world number sources (i.e. pull network packet arrival
times, system events per second, etc.)
===SNIP=
$RandomNumbers =
array('0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F');
// Assume the random number generator was seeded when we first
started the program (it was wasn't it?)
// Generate a random string that is 1024 chars long
for ($i = 0; $i < 1024; $i++) {
$RandomData[$i] = $RandomNumbers[mersenne_twister_rand(16)];
}
// We format this as a GUID style sequence
$RandomKey = "{";
foreach $x (8, 4, 4, 4, 12) {
// Work through our array and weed down to only specified
characters
for ($i = 0; $i < $x; $i++) {
$RandomKey .=
$RandomData[mersenne_twister_rand(1024)];
}
// Add in the dash if required.
if ($x != 12)
$RandomKey .= "-";
}
// Add in the ending data.
$RandomKey .= "}";
return $RandomKey;
=SNIP===
The code is “pseudo perl code” and generates a MS-GUID style id number.
Questions:
1) Is the “GUID” style number secure enough (long enough to ensure
security, or should additional sections be added)
2) I’m assuming that the randomness of the seed is the MOST important
aspect correct?
3) Does this code add to or detract from the effectiveness of the
random generation? (also can you tell me reasons so I can improve upon
it?)
4) Is the mersenne twister a secure enough random generator? If not,
what would be the suggested alternatives? This system is being
implemented in several different languages so I need an algorithm that
is not horrible to implement in several languages (not just C/C++)
THANK YOU for any help you can provide. I’m sorry this email is so
long.
Ryan M Harris
ACD Incorporated
Email: rmharris-securityat_private
This archive was generated by hypermail 2b30 : Tue Dec 03 2002 - 09:17:35 PST