Hi,
Hope you can help me with this one. I am trying to create random
number between 0 and 1 inclusive of cryptographiuc quality.
The problems is though - I don't know how! Here is what I have so far
and I would greatly appreciate any comments/suggestions/code-samples
that you may like to share. Thank you.
Al
**** CODE AS FOLLOWS ****
byte[] random = new byte[2];
RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();
rng.GetBytes (random);
return Convert.ToDouble(random[0]);
*** END CODE ***
The prblem with the above is that it produces very large numbers. I
nned numbers between 0 and 1.
17  6674 
On Jul 17, 4:41*pm, "almu...@altavista.com" <almu...@altavista.com>
wrote:
Hi,
* * * * Hope you can help me with this one. I am trying to createrandom
number between 0 and 1 inclusive of cryptographiuc quality.
* * * * The problems is though - I don't know how! Here is what Ihave so far
and I would greatly appreciate any comments/suggestions/code-samples
that you may like to share. Thank you.
Al
**** CODE AS FOLLOWS ****
* * * * * * byte[] random = new byte[2];
* * * * * * RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();
* * * * * * rng.GetBytes (random);
* * * * * * return Convert.ToDouble(random[0]);
*** END CODE ***
* * * * The prblem with the above is that it produces very large numbers. I
nned numbers between 0 and 1.
byte[] random = new byte[8];
RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider();
rng.GetBytes(random);
return (double)BitConverter.ToUInt64(random) / UInt64.Max;
On Jul 17, 5:41*am, "almu...@altavista.com" <almu...@altavista.com>
wrote:
Hi,
* * * * Hope you can help me with this one. I am trying to createrandom
number between 0 and 1 inclusive of cryptographiuc quality.
* * * * The problems is though - I don't know how! Here is what Ihave so far
and I would greatly appreciate any comments/suggestions/code-samples
that you may like to share. Thank you.
Al
**** CODE AS FOLLOWS ****
* * * * * * byte[] random = new byte[2];
* * * * * * RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();
* * * * * * rng.GetBytes (random);
* * * * * * return Convert.ToDouble(random[0]);
*** END CODE ***
* * * * The prblem with the above is that it produces very large numbers. I
nned numbers between 0 and 1.
What is this class: RNGCryptoServiceProvider? If it's a library
function, just look into the documentation for it.
Another solution: use MSFT's Random() function, and don't worry about
it being of "crypto quality" --for most stuff it's OK, just use the
system clock to reseed it once in a while. Good enough for government
work.
RL
On Jul 17, 1:54*pm, raylopez99 <raylope...@yahoo.comwrote:
On Jul 17, 5:41*am, "almu...@altavista.com" <almu...@altavista.com>
wrote:
Hi,
* * * * Hope you can help me with this one. I am trying to create random
number between 0 and 1 inclusive of cryptographiuc quality.
* * * * The problems is though - I don't know how! Here is whatI have so far
and I would greatly appreciate any comments/suggestions/code-samples
that you may like to share. Thank you.
Al
**** CODE AS FOLLOWS ****
* * * * * * byte[] random = new byte[2];
* * * * * * RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();
* * * * * * rng.GetBytes (random);
* * * * * * return Convert.ToDouble(random[0]);
*** END CODE ***
* * * * The prblem with the above is that it produces very large numbers. I
nned numbers between 0 and 1.
What is this class: RNGCryptoServiceProvider? *If it's a library
function, just look into the documentation for it.
Another solution: *use MSFT's Random() function, and don't worry about
it being of "crypto quality" --for most stuff it's OK, just use the
system clock to reseed it once in a while. *Good enough for government
work.
RL- Hide quoted text -
- Show quoted text -
Thank you both very much for your comments - its working now.
Al.
On Jul 17, 5:58*pm, "almu...@altavista.com" <almu...@altavista.com>
wrote:
Thank you both very much for your comments - its working now.
You didn't say which way you went, so here's a warning: if you do
indeed truly need cryptographic RNG (i.e., because your specification
requires you to, for example, if you're generating salt for
encryption), then you should absolutely not use Random (which is a
class, by the way, not a function) - it is very predictable.
On Thu, 17 Jul 2008 05:54:33 -0700 (PDT), raylopez99
<ra********@yahoo.comwrote:
>Another solution: use MSFT's Random() function, and don't worry about
it being of "crypto quality" --for most stuff it's OK, just use the
system clock to reseed it once in a while. Good enough for government
work.
Absolutely not. Random is NOT of cryptographic quality and should not
be used for cryptographic purposes. The requirements for a
cryptographic RNG are very different from a simple PRNG for
simulations, which is what Random is. See RFC 4056: http://rfc.net/rfc4086.html for more details.
rossum
On Jul 17, 3:08*pm, Pavel Minaev <int...@gmail.comwrote:
On Jul 17, 5:58*pm, "almu...@altavista.com" <almu...@altavista.com>
wrote:
Thank you both very much for your comments - its working now.
You didn't say which way you went, so here's a warning: if you do
indeed truly need cryptographic RNG (i.e., because your specification
requires you to, for example, if you're generating salt for
encryption), then you should absolutely not use Random (which is a
class, by the way, not a function) - it is very predictable.
Sorry I'm using Pavels - it looks like this:
byte[] random = new byte[8];
RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();
rng.GetBytes(random);
return (double)BitConverter.ToUInt64(random, 0)/
UInt64.MaxValue ;
Am interested to hear more about this salt...Any examples?
On Jul 17, 8:04*am, rossum <rossu...@coldmail.comwrote:
On Thu, 17 Jul 2008 05:54:33 -0700 (PDT), raylopez99
<raylope...@yahoo.comwrote:
Another solution: *use MSFT's Random() function, and don't worry about
it being of "crypto quality" --for most stuff it's OK, just use the
system clock to reseed it once in a while. *Good enough for government
work.
Absolutely not. *Random is NOT of cryptographic quality and should not
be used for cryptographic purposes. *The requirements for a
cryptographic RNG are very different from a simple PRNG for
simulations, which is what Random is. *See RFC 4056:http://rfc.net/rfc4086.htmlfor more details.
Whatever. Like Linus Torvalds said recently, the security folks have
their pants all tied in a knot over the smallest details. I'm sure
you're right, but if you reseed Random for the most part it gives you
pretty random numbers it seems to me.
And in fact reading the link you sent indicates that Microsoft does
have something that gets seeds from buffer memory something something
and produces near crypto quality randomness, which I guess is what the
OP was talking about : "Microsoft's recommendation to users of the
widely deployed Windows operating system is generally to use the
CryptGenRandom pseudo-random number generation call with the CryptAPI
cryptographic service provider. "
RL
raylopez99 <ra********@yahoo.comwrote:
Absolutely not. *Random is NOT of cryptographic quality and should not
be used for cryptographic purposes. *The requirements for a
cryptographic RNG are very different from a simple PRNG for
simulations, which is what Random is. *See RFC 4056:
http://rfc.net/rfc4086.htmlfor more details.
Whatever. Like Linus Torvalds said recently, the security folks have
their pants all tied in a knot over the smallest details. I'm sure
you're right, but if you reseed Random for the most part it gives you
pretty random numbers it seems to me.
And this is why people who aren't trained in security (including
myself) shouldn't be trusted to come up with secure algorithms.
System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptographic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?
--
Jon Skeet - <sk***@pobox.com>
Web site: http://www.pobox.com/~skeet
Blog: http://www.msmvps.com/jon_skeet
C# in Depth: http://csharpindepth.com
On Thu, 17 Jul 2008 13:38:04 -0700 (PDT), raylopez99
<ra********@yahoo.comwrote:
>On Jul 17, 8:04*am, rossum <rossu...@coldmail.comwrote:
>On Thu, 17 Jul 2008 05:54:33 -0700 (PDT), raylopez99
<raylope...@yahoo.comwrote:
>Another solution: *use MSFT's Random() function, and don't worry about
it being of "crypto quality" --for most stuff it's OK, just use the
system clock to reseed it once in a while. *Good enough for government
work.
Absolutely not. *Random is NOT of cryptographic quality and should not
be used for cryptographic purposes. *The requirements for a
cryptographic RNG are very different from a simple PRNG for
simulations, which is what Random is. *See RFC 4056:http://rfc.net/rfc4086.htmlfor more details.
Whatever. Like Linus Torvalds said recently, the security folks have
their pants all tied in a knot over the smallest details. I'm sure
you're right, but if you reseed Random for the most part it gives you
pretty random numbers it seems to me.
Read Microsoft's own documentation for Random: "To generate a
cryptographically secure random number suitable for creating a random
password, for example, use a class derived from
System.Security.Cryptography.RandomNumberGenerator such as
System.Security.Cryptography.RNGCryptoServiceProvi der."
Reseeding Random can only take an Int32 as parameter. 32 bits is not
enough for most security purposes, and can be brute-forced reasonably
easily.
>
And in fact reading the link you sent indicates that Microsoft does
have something that gets seeds from buffer memory something something
and produces near crypto quality randomness, which I guess is what the
OP was talking about: "Microsoft's recommendation to users of the
widely deployed Windows operating system is generally to use the
CryptGenRandom pseudo-random number generation call with the CryptAPI
cryptographic service provider. "
Which is precisely what the default RNGCryptoServiceProvider does. To
quote from RFC 4068, section 7.1.3:
"Users of Windows ".NET" will probably find it easier to use
the RNGCryptoServiceProvider.GetBytes method interface."
Indeed.
rossum
>
RL
On Thu, 17 Jul 2008 10:29:12 -0700 (PDT), "al*****@altavista.com"
<al*****@altavista.comwrote:
>On Jul 17, 3:08*pm, Pavel Minaev <int...@gmail.comwrote:
>On Jul 17, 5:58*pm, "almu...@altavista.com" <almu...@altavista.com>
wrote:
Thank you both very much for your comments - its working now.
You didn't say which way you went, so here's a warning: if you do
indeed truly need cryptographic RNG (i.e., because your specification
requires you to, for example, if you're generating salt for
encryption), then you should absolutely not use Random (which is a
class, by the way, not a function) - it is very predictable.
Sorry I'm using Pavels - it looks like this:
byte[] random = new byte[8];
RNGCryptoServiceProvider rng = new
RNGCryptoServiceProvider();
rng.GetBytes(random);
return (double)BitConverter.ToUInt64(random, 0)/
UInt64.MaxValue ;
Am interested to hear more about this salt...Any examples?
See http://en.wikipedia.org/wiki/Salt_(cryptography)
It is used to stop an attacker precalculating password hashes from a
dictionary. See also Key Strengthening: http://en.wikipedia.org/wiki/Key_strengthening for the use of salt in
a key stretching algorithm.
rossum
On Jul 17, 2:02*pm, Jon Skeet [C# MVP] <sk...@pobox.comwrote:
System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptographic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?
Jon--Because nobody will ever know. If he codes using Random() and
uses a scrambler on his object code, how can you test to see if the
RNG is weak or not? Now I'm sure there's some specialized hardware
out there to do so, but as a practical matter nobody will ever find
out and even care. Worse case somebody finds out and you issue a
patch, and in the meantime have made money from pushing your product
out the door first, before your competitors do.
Rapid coding it's called. You can do a "CASE" analysis, lots of
flowcharting of software architecture using UML and state diagrams,
lots of discussion about program flow, 'best coding' practices for a
"Level 3" organization with a team of PhD programmers, or, you can
just sit down by yourself and by the seat of your pants bash out some
code on your keyboard over a couple of weeks, with the architecture
done on-the-fly and 'in your mind's eye'. Use Bangladore to help you
on modular stuff you can plug in later. Meanwhile you've told your
customers that your alpha code is in final testing and will be shipped
soon--you collect the money, ship the product and use some of the
revenue to issue patches and fix bugs later.
Without mentioning names, that's what Microsoft and other large
organizations have done or allegedly could have done, and if it's good
enough for MSFT, it's good enuf 4 me.
RL
On Jul 18, 10:50*am, raylopez99 <raylope...@yahoo.comwrote:
On Jul 17, 2:02*pm, Jon Skeet [C# MVP] <sk...@pobox.comwrote:
System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptographic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?
Jon--Because nobody will ever know. *If he codes using Random() and
uses a scrambler on his object code, how can you test to see if the
RNG is weak or not? *Now I'm sure there's some specialized hardware
out there to do so, but as a practical matter nobody will ever find
out and even care. *Worse case somebody finds out and you issue a
patch, and in the meantime have made money from pushing your product
out the door first, before your competitors do.
Rapid coding it's called. *You can do a "CASE" analysis, lots of
flowcharting of software architecture using UML and state diagrams,
lots of discussion about program flow, 'best coding' practices for a
"Level 3" organization with a team of PhD programmers, or, you can
just sit down by yourself and by the seat of your pants bash out some
code on your keyboard over a couple of weeks, with the architecture
done on-the-fly and 'in your mind's eye'. *Use Bangladore to help you
on modular stuff you can plug in later. *Meanwhile you've told your
customers that your alpha code is in final testing and will be shipped
soon--you collect the money, ship the product and use some of the
revenue to issue patches and fix bugs later.
Without mentioning names, that's what Microsoft and other large
organizations have done or allegedly could have done, and if it's good
enough for MSFT, it's good enuf 4 me.
RL
On a point of information there is a test for random sequence called
the chi-squared statistic cf. http://en.wikibooks.org/wiki/Algorit...hi-Square_Test
On Jul 18, 10:50*am, raylopez99 <raylope...@yahoo.comwrote:
System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptographic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?
Jon--Because nobody will ever know. *If he codes using Random() and
uses a scrambler on his object code, how can you test to see if the
RNG is weak or not? *Now I'm sure there's some specialized hardware
out there to do so, but as a practical matter nobody will ever find
out and even care. *Worse case somebody finds out and you issue a
patch, and in the meantime have made money from pushing your product
out the door first, before your competitors do.
If the code has reached client machines, they can very easily find out
that he's using System.Random. Ever used Reflector? It not, try it.
Rapid coding it's called.
In this case it's called *sloppy* coding. Deliberately using something
you know to be weak, despite a declared requirement for a
cryptographically strong random number generator is just sloppy -
particularly when the alternative is readily available.
I'm all for agile coding and doing the simplest possible thing that
meets the requirements - but meeting the requirements is the key here.
Using System.Random *doesn't* meet the stated requirements.
Jon
On Fri, 18 Jul 2008 02:50:07 -0700 (PDT), raylopez99
<ra********@yahoo.comwrote:
>On Jul 17, 2:02*pm, Jon Skeet [C# MVP] <sk...@pobox.comwrote:
>System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptographic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?
Jon--Because nobody will ever know.
The OP stated that he needed cryptographic quality random numbers. In
cryptogrqaphy you need to think in terms of the person who you are
defending against - "the attacker." Anything that the attacker can
reasonably do they are assumed to be able to do and so must be guarded
against. In this case the attacker can be reasonably expected to know
that Random is being used.
>If he codes using Random() and uses a scrambler on his object code,
how can you test to see if the RNG is weak or not?
The attacker can descramble the code, use Reflection, check links into
the .NET libraries or just look at the assembler actually being run on
the CPU. Random uses a known algorithm from Knuth so the attacker can
be expected to recognise it.
>Now I'm sure there's some specialized hardware
out there to do so,
There is, both hardware and software. The attacker can be assumed to
have it and to be able to use it correctly.
>but as a practical matter nobody will ever find
out and even care.
The attacker will find out and will most definitely care.
>Worse case somebody finds out and you issue a
patch, and in the meantime have made money from pushing your product
out the door first, before your competitors do.
And the people who suffered a loss because your insecure database
allowed their credit card details to be hacked sue you for punitive
damages. Their loss is a direct consequence of your sloppy security
design. How much money would that lose you? Bad security increases
some risks, including risks to the bottom line.
>
Rapid coding it's called.
It is also called sloppy security.
>
Without mentioning names, that's what Microsoft and other large
organizations have done or allegedly could have done, and if it's good
enough for MSFT, it's good enuf 4 me.
So you are still using the original crackable version of WEP then?
According to Wikipedia that time to crack is now down to a matter of
minutes.
rossum
>
RL
raylopez99 wrote:
On Jul 17, 5:41 am, "almu...@altavista.com" <almu...@altavista.com>
wrote:
[snip]
Another solution: use MSFT's Random() function, and don't worry about
it being of "crypto quality" --for most stuff it's OK, just use the
system clock to reseed it once in a while. Good enough for government
work.
RL
That's not a solution to the question when the OP specifically asks
about cryptographic quality random numbers.
raylopez99 wrote:
On Jul 17, 2:02 pm, Jon Skeet [C# MVP] <sk...@pobox.comwrote:
>System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptographic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?
Jon--Because nobody will ever know. If he codes using Random() and
uses a scrambler on his object code, how can you test to see if the
RNG is weak or not? Now I'm sure there's some specialized hardware
out there to do so, but as a practical matter nobody will ever find
out and even care. Worse case somebody finds out and you issue a
patch, and in the meantime have made money from pushing your product
out the door first, before your competitors do.
Highly unethical. :(
Todd
Jon Skeet [C# MVP] wrote:
On Jul 18, 10:50 am, raylopez99 <raylope...@yahoo.comwrote:
>>System.Random *isn't* sufficiently random for security purposes. The OP
explicitly said he wanted a "cryptographic quality" random number
generator - why would you recommend something which goes directly
against what is asked for?
Jon--Because nobody will ever know. If he codes using Random() and
uses a scrambler on his object code, how can you test to see if the
RNG is weak or not? Now I'm sure there's some specialized hardware
out there to do so, but as a practical matter nobody will ever find
out and even care. Worse case somebody finds out and you issue a
patch, and in the meantime have made money from pushing your product
out the door first, before your competitors do.
If the code has reached client machines, they can very easily find out
that he's using System.Random. Ever used Reflector? It not, try it.
>Rapid coding it's called.
In this case it's called *sloppy* coding. Deliberately using something
you know to be weak, despite a declared requirement for a
cryptographically strong random number generator is just sloppy -
particularly when the alternative is readily available.
It's not sloppy, it's lazy and unethical.
Todd This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: Nicholas Geraldi |
last post by:
Im looking for a decent random number generator. Im looking to make a large
number of random numbers (100 or so, if not more) in a short period of time
(as fast as possible).
the function i was...
|
by: Marc Dansereau |
last post by:
Hi all
I am new to this forum and to the c programming language.
If I understand, the random() function in C return numbers that follow a
uniform distribution U(0,1). Can somebody know how to...
|
by: cvnweb |
last post by:
I am trying to generate 2 random numbers that are diffrent, in order to
add them to existing numbers to generate numbers that start out the
same, but are randomly added and subtracted so that they...
|
by: fieldfallow |
last post by:
Hello all,
Is there a function in the standard C library which returns a prime
number which is also pseudo-random?
Assuming there isn't, as it appears from the docs that I have, is there
a...
|
by: Jim Michaels |
last post by:
I need to generate 2 random numbers in rapid sequence from either PHP or
mysql.
I have not been able to do either. I get the same number back several times
from PHP's mt_rand() and from mysql's...
|
by: chico_yallin |
last post by:
I just wana make a random id number based on4 digits-for examples??
Thanks in Advance
Ch.Yallin
|
by: Peter Oliphant |
last post by:
I would like to be able to create a random number generator that produces
evenly distributed random numbers up to given number.
For example, I would like to pick a random number less than 100000,...
|
by: badcrusher10 |
last post by:
Hello.
I'm having trouble figuring out what to do and how to do.. could someone explain to me what I need to do in order to work?
THIS IS WHAT I NEED TO DO:
Professor Snoop wants a program...
|
by: pereges |
last post by:
I need to generate two uniform random numbers between 0 and 1 in C ?
How to do it ?
I looked into rand function where you need to #define RAND_MAX as 1
but will this rand function give me ...
|
by: lllomh |
last post by:
Define the method first
this.state = {
buttonBackgroundColor: 'green',
isBlinking: false, // A new status is added to identify whether the button is blinking or not
}
autoStart=()=>{
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 4 Oct 2023 starting at 18:00 UK time (6PM UTC+1) and finishing at about 19:15 (7.15PM)
The start time is equivalent to 19:00 (7PM) in Central...
|
by: tracyyun |
last post by:
Hello everyone,
I have a question and would like some advice on network connectivity. I have one computer connected to my router via WiFi, but I have two other computers that I want to be able to...
|
by: giovanniandrean |
last post by:
The energy model is structured as follows and uses excel sheets to give input data:
1-Utility.py contains all the functions needed to calculate the variables and other minor things (mentions...
|
by: NeoPa |
last post by:
Introduction
For this article I'll be using a very simple database which has Form (clsForm) & Report (clsReport) classes that simply handle making the calling Form invisible until the Form, or all...
|
by: isladogs |
last post by:
The next Access Europe meeting will be on Wednesday 1 Nov 2023 starting at 18:00 UK time (6PM UTC) and finishing at about 19:15 (7.15PM)
Please note that the UK and Europe revert to winter time on...
|
by: nia12 |
last post by:
Hi there,
I am very new to Access so apologies if any of this is obvious/not clear.
I am creating a data collection tool for health care employees to complete. It consists of a number of...
|
by: NeoPa |
last post by:
Introduction
For this article I'll be focusing on the Report (clsReport) class. This simply handles making the calling Form invisible until all of the Reports opened by it have been closed, when it...
|
by: GKJR |
last post by:
Does anyone have a recommendation to build a standalone application to replace an Access database? I have my bookkeeping software I developed in Access that I would like to make available to other...
| |
