Predicting the rand() and using Cryptographic Random Numbers
Tuesday, February 10th, 2009Subscribe To Our Feed | Follow Us On Twitter | Get Updates on Email
Everyone must have used rand() sometime or the other while writing C code. The problem with rand() in most of the platforms is that it is easy to predict the output. Being based on unsigned int, it is just a simple function using a seed which is always the last randomly generated some number. This seed is not very tough to guess for an advanced hacker. once this seed is guessed,, any password or information based on random number generation can be easilt cracked and maligned.
following code is abridged code of rand() function implementation referenced from the book The C programming Language written by Brian Kernighan and Dennis Ritchie
unsigned long int next = 1; int rand(void) { next = next * 1103515245 + 12345; return (unsigned int)(next / 65536) % 32768; }
This type of function is generally called linear congruential function. As you can notice yourself, that these type of linear congruential functions are very much predictable and are not recommended for security sensitive applications. If you look at the above given code, it is obvious that if the underlying environment does not change, then the random number generation can easily be guessed as it will generate same random number on running the application again and again.
Continue Reading the rest of the entry
© Safer Code | Predicting the rand() and using Cryptographic Random Numbers
|
Liked this post? Get FREE Updates Subscribe to RSS feed 
|
