Yeah, the seeding is done in a separate section of code... I should have included that in the email. Sorry about that. I will probably use a yarrow derivative for the PRNG. Shortly after I posted the message I came across the "mersenne twister" home page which stated that it was not secure. I have since read that it "may be" which is why I did not withdraw the previous post. Ryan -----Original Message----- From: David Wagner [mailto:dawat_private] Sent: Tuesday, December 03, 2002 12:26 PM To: secprogat_private Subject: Re: Secure random ID generation Ryan M Harris wrote: >I have a batch of code that is to be used for secure session identifiers >in a network security system, can you tell me if this formula is good >for that type of environment. No, it is not. Your PRNG ("Mersenne twister") is not cryptographically strong. And you never took any care to ensure that the PRNG was seeded, which is a very common failure mode. You can find some information on how to do this right at http://www.cs.berkeley.edu/~daw/rnd/index.html
This archive was generated by hypermail 2b30 : Tue Dec 03 2002 - 13:34:06 PST