The random number seed can be the weakest link


Random number generation is hard. That's why you should leave it to the experts.

But even if you choose a good random number generator, you still have to seed it properly. The best random number generator in the world isn't very useful if people can guess the seed. That's why seeding the random number generator with the current time is not very secure; it's not hard to guess the current time!

So it's important to throw something unguessable into the seed. As the above paper notes, just the time and process id are not good enough.

So what should you do? Don't ask me; I'm not a cryptography expert. Here are some suggestions from other people. Maybe some of them are good, maybe not.

Comments (19)
  1. Smelly says:

    I know! I’ll use a second random number generator to generate the seed for my primary random number generator, and I’ll seed the second one with…D’oh!

  2. Fletch says:

    There could be a lot of reality in the above post. I wonder how many new-to-the-game do something like: seed=rnd() ?

    I of course, seed mine with a constant :)

  3. Paul says:

    CryptGenRandom???

    Shouldn’t be all that hard to wrap some OLE goo around it so VBScripters can use it.

  4. Jeremy Bloath says:

    Golly that VBScript guy (http://weblogs.asp.net/gstemp/archive/2004/02/23/78434.aspx) is just about the most boring writer I’ve ever had the misfortune to try to wade through. More than 50% of the text is wildly off-topic: Mostly, he just giggles in a high-pitched voice, talks about himself and his friends, and makes resoundingly ponderous "jokes".

    965 words into the article, he finally starts trying to explain something about the alleged topic, and promptly gets confused about the difference between numbers and strings.

    The inserted bits in purple are good, though. The purple guy actually knows something. Maybe that’s why there’s zero bullshit in those parts.

    I understand that the giggling moron is trying to write down to VBS people. When you’ve got an audience about mid-way between Australopithecus boisei and Pithecanthropus erectus, you can’t ask for too much comprehension. I also understand that the less-advanced hominids LIKE it when somebody babbles about nothing at all in a witlessly "chatty" way. Since the content of the article is beyond their feeble grasp, you have to feed ’em a lot of bullshit to keep ’em eating. So to speak.

    But here’s the thing: If your audience is so dumb that you have to feed them massive doses of cotton candy just to coax them through the parts that confuse them, what’s the point? Why bother at all? The author is pretending to explain something he doesn’t understand, and his readers are pretending to learn something they CAN’T understand.

    Why don’t they all just go watch TV?

  5. Cooney says:

    Why don’t they all just go watch TV?

    Maybe the cable’s out?

  6. B.Y. says:

    On Pentium of later CPUs, the lower N bits of CPU cycle count should be a good random seed/number.

  7. ATZ Man says:

    Donald Knuth has written quite a bit about the seeding topic. Seeding with rnd() is so 1970’s.

    A decent RNG like the one used in OpenSSL needs a huge seed vector (bytes and bytes of data) and there’s lots of practical advice for seeding it in the OpenSSL community.

    The Stemp blog entry reads like a transcript of a lecture. Humor is good in lectures and blog entries, but web technical writing needs to be more concise than a lecture. I’m actually surprised that such a windy article even got linked.

  8. Dan Maas says:

    One of my favorites:

    http://www.lavarnd.org/demo/index.html

    I believe this is the current incarnation of the SGI project that used a cluster of Lava Lamps to generate random bits. (I once tried to compress some of their outputs – gzip and bzip2 certainly couldn’t do anything!)

    A neat suggestion that came up on the Linux kernel list was to sample your analog audio (microphone) input with nothing connected (thereby obtaining electrical noise).

    And don’t both Intel and AMD now include noise-generating hardware specifically for cyptography use?

  9. I’ll take chatty-with-high-noise-to-signal-ratio writing over condescending, insulting, adding-no-value-whatsoever cheap-shot writing any day.

    Oh, wait — am I feeding the troll again? Damn. I have to learn to stop doing that.

  10. Anonymous says:

    How about CryptGenRandom()?

  11. Jeremy Bloath says:

    O Purple Guy: The poor dumb chatty guy won’t ever do any better if nobody tells him he’s getting it wrong.

    Remember: Knock a drunk unconscious, and you’ve gotten him on the wagon for a day; give him a sinecure, and he’s OFF the wagon for a lifetime.

  12. runtime says:

    random.org has lots of interesting info about random numbers, including a SOAP interface to their random number web service. :-)

    The way the random.org random number generator works is quite simple. A radio is tuned into a frequency where nobody is broadcasting. The atmospheric noise picked up by the receiver is fed into a Sun SPARC workstation through the microphone port where it is sampled by a program as an eight bit mono signal at a frequency of 8KHz. The upper seven bits of each sample are discarded immediately and the remaining bits are gathered and turned into a stream of bits with a high content of entropy. Skew correction is performed on the bit stream, in order to ensure that there is an approximately even distribution of 0s and 1s.

  13. Doug says:

    I think I’ll go make a transmitter and transmit on their frequency.

    Subtly….

  14. Wilhelm Svenselius says:

    Actually, I’ve learned to stand listening to the condescending, insulting, holier-than-thou type of programmer because they’re usually damn good at what they do and they know it. (And in the few cases where they only think they know, you can usually tell rather quickly.)

    I would have to agree with Jeremy that "the VBScript guy"’s article was mostly bloat with a very low ratio of signal to noise. Despite what Raymond says, I’d prefer one of his writeups to one of "Mr VBScript"’s any day – even something like "Oh, just use CryptGenRandom()" would be far better.

  15. Neelix says:

    If you want true random numbers, you have to generate them using quantum effects. These people have built something using radioactive decay: http://www.fourmilab.ch/hotbits/

    I’d say that the random numbers you can get from there are even better than the ones from random.org, because the latter can be influenced by sending a radio signal at a certain frequency near the building where their receiver is located.

  16. Frederik Slijkerman says:

    Why don’t the people at random.org just use a resistor with its natural noise? That seems a lot less vulnerable than a receiver.

  17. Raymond Chen says:

    Commenting on this article has been closed.

Comments are closed.