Unfortunately this is not an option. These are random keys for a distributed network. -----Original Message----- From: mikedat_private [mailto:mikedat_private] Sent: Tuesday, December 03, 2002 1:36 PM To: Ryan M Harris Subject: Re: Secure random ID generation Take a look at some of the hardware cryptographic/SSL accelerator cards out there. They have about the best random generators you can find on a computer. If your needing to implement this is many languages, why not have a single machine that generates all your random ids, then just pull them from that one machine in all your programs (http/tcp is pretty easy to implement in anything). -Mike --- Work: mikedat_private Play: mikedat_private On Tue, 3 Dec 2002, Ryan M Harris wrote: > Hello all, > > I have a batch of code that is to be used for secure session identifiers > in a network security system, can you tell me if this formula is good > for that type of environment. Assume that the seed is taken from > various real world number sources (i.e. pull network packet arrival > times, system events per second, etc.) > > ===SNIP= > > $RandomNumbers = > array('0','1','2','3','4','5','6','7','8','9','A','B','C','D','E','F'); > > // Assume the random number generator was seeded when we first > started the program (it was wasn't it?) > > // Generate a random string that is 1024 chars long > for ($i = 0; $i < 1024; $i++) { > $RandomData[$i] = $RandomNumbers[mersenne_twister_rand(16)]; > } > > // We format this as a GUID style sequence > $RandomKey = "{"; > > foreach $x (8, 4, 4, 4, 12) { > // Work through our array and weed down to only specified > characters > for ($i = 0; $i < $x; $i++) { > $RandomKey .= > $RandomData[mersenne_twister_rand(1024)]; > } > // Add in the dash if required. > if ($x != 12) > $RandomKey .= "-"; > } > > // Add in the ending data. > $RandomKey .= "}"; > > return $RandomKey; > > =SNIP=== > > The code is “pseudo perl code” and generates a MS-GUID style id number. > > Questions: > > 1) Is the “GUID” style number secure enough (long enough to ensure > security, or should additional sections be added) > 2) I’m assuming that the randomness of the seed is the MOST important > aspect correct? > 3) Does this code add to or detract from the effectiveness of the > random generation? (also can you tell me reasons so I can improve upon > it?) > 4) Is the mersenne twister a secure enough random generator? If not, > what would be the suggested alternatives? This system is being > implemented in several different languages so I need an algorithm that > is not horrible to implement in several languages (not just C/C++) > > THANK YOU for any help you can provide. I’m sorry this email is so > long. > > Ryan M Harris > ACD Incorporated > Email: rmharris-securityat_private > > >
This archive was generated by hypermail 2b30 : Tue Dec 03 2002 - 13:18:27 PST