Hello all, I have a batch of code that is to be used for secure session identifiers in a network security system, can you tell me if this formula is good for that type of environment. Assume that the seed is taken from various real world number sources (i.e. pull network packet arrival times, system events per second, etc.) ===SNIP= $RandomNumbers = array('0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'); // Assume the random number generator was seeded when we first started the program (it was wasn't it?) // Generate a random string that is 1024 chars long for ($i = 0; $i < 1024; $i++) { $RandomData[$i] = $RandomNumbers[mersenne_twister_rand(16)]; } // We format this as a GUID style sequence $RandomKey = "{"; foreach $x (8, 4, 4, 4, 12) { // Work through our array and weed down to only specified characters for ($i = 0; $i < $x; $i++) { $RandomKey .= $RandomData[mersenne_twister_rand(1024)]; } // Add in the dash if required. if ($x != 12) $RandomKey .= "-"; } // Add in the ending data. $RandomKey .= "}"; return $RandomKey; =SNIP=== The code is “pseudo perl code” and generates a MS-GUID style id number. Questions: 1) Is the “GUID” style number secure enough (long enough to ensure security, or should additional sections be added) 2) I’m assuming that the randomness of the seed is the MOST important aspect correct? 3) Does this code add to or detract from the effectiveness of the random generation? (also can you tell me reasons so I can improve upon it?) 4) Is the mersenne twister a secure enough random generator? If not, what would be the suggested alternatives? This system is being implemented in several different languages so I need an algorithm that is not horrible to implement in several languages (not just C/C++) THANK YOU for any help you can provide. I’m sorry this email is so long. Ryan M Harris ACD Incorporated Email: rmharris-securityat_private
This archive was generated by hypermail 2b30 : Tue Dec 03 2002 - 09:17:35 PST