The random module is *very* weak, it has less than 48 bits of state (Wichmann-Hill 1982). It doesnt really generate results appropriate for double precision float, and it fails modern test suites for PRNGs, so it's basically unsuitable for most modern applications. Also, I haven't looked at Yaws' implementation but the random module only ensures that you have a good seed if you are using the process dictionary version of the API, otherwise you have to ensure that each component is non-zero and not an integer multiple of the prime for that component yourself.<span></span><div>
<br></div><div>The best alternative is what this version appears to use: the crypto module. If you need something faster that doesn't have to be safe for cryptographic purposes you'll have to look outside of OTP.<br>
<br>On Thursday, June 21, 2012, Pablo Platt wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div style="font-size:12pt;font-family:arial,helvetica,sans-serif">
<div><span>What are the alternatives?<br></span></div><div><br></div> <div style="font-family:arial,helvetica,sans-serif;font-size:12pt"> <div style="font-family:times new roman,new york,times,serif;font-size:12pt"> <div dir="ltr">
<font face="Arial"> <hr size="1"> <b><span style="font-weight:bold">From:</span></b> Geoff Cant <<a href="javascript:_e({}, 'cvml', 'nem@erlang.geek.nz');" target="_blank">nem@erlang.geek.nz</a>><br>
<b><span style="font-weight:bold">To:</span></b> Claes Wikstrom <<a href="javascript:_e({}, 'cvml', 'klacke@hyber.org');" target="_blank">klacke@hyber.org</a>> <br><b><span style="font-weight:bold">Cc:</span></b> erlang-questions <<a href="javascript:_e({}, 'cvml', 'erlang-questions@erlang.org');" target="_blank">erlang-questions@erlang.org</a>> <br>
<b><span style="font-weight:bold">Sent:</span></b> Thursday, June 21, 2012 12:37 AM<br> <b><span style="font-weight:bold">Subject:</span></b> Re: [erlang-questions] Yaws security alert - Yaws 1.93<br> </font> </div> <br>
<br>On 2012-06-20, at 14:17 , Claes Wikstrom wrote:<br><br>> On 06/20/2012 11:10 PM, Geoff Cant wrote:<br>>> Hi Klake,<br>>> <br>>> Is the problem related to predictable seeding of random (set to {A,B,C} =<br>
>> erlang:now() at some point) or is it a bigger break in taking a series of<br>>> outputs from random:uniform and working out the internal state from that?<br>>> Just trying to figure out if kallez's attack is a brute force discovery of a<br>
>> weak seed, or if it's a more complete break of the generator itself given an<br>>> unknown seed.<br>>> <br>>> Cheers,<br>> <br>> <br>> It's not, Yaws was using the seed as in<br>
> <br>> <br>> {X,Y,Z} = seed(),<br>> <br>> ...<br>> <br>> <br>> seed() -><br>> case (catch list_to_binary(<br>> os:cmd("dd if=/dev/urandom
ibs=12 count=1 2>/dev/null"))) of<br>> <<X:32, Y:32, Z:32>> -><br>> {X, Y, Z};<br>> _ -><br>> now()<br>> end.<br>> <br>> <br>> The problem is much deeper, it's the random algorithm itself. It's said that<br>
> it's cryptographically weak - now I've seen how weak. Very weak.<br><br><br>That's pretty neat indeed then (as an attack, not so great for anyone using random:uniform for any crypto-ish purpose). I'd love to look at a description of the break if one becomes available.<br>
<br>Cheers,<br>--<br>Geoff Cant<br><br><br><br><br>_______________________________________________<br>erlang-questions mailing list<br><a href="javascript:_e({}, 'cvml', 'erlang-questions@erlang.org');" target="_blank">erlang-questions@erlang.org</a><br>
<a href="http://erlang.org/mailman/listinfo/erlang-questions" target="_blank">http://erlang.org/mailman/listinfo/erlang-questions</a><br><br><br> </div> </div> </div></div></blockquote></div>