Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers

To: debian-devel@lists.debian.org
Subject: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
From: Jakub Wilk <jwilk@debian.org>
Date: Tue, 24 Apr 2012 13:16:00 +0200
Message-id: <[🔎] 20120424111600.GA7690@jwilk.net>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 84ehrdh2rg.fsf@sauna.l.org>
References: <[🔎] 84ehrdh2rg.fsf@sauna.l.org>

* Timo Juhani Lindfors <timo.lindfors@iki.fi>, 2012-04-24, 12:56:

     my @chars = (0 .. 9, 'a' .. 'z', 'A' .. 'Z');
     $alias .=  join ("", map {$chars[rand $#chars]} 1..8);

On Debian systems the rand() function of perl uses drand48() from eglibc
which implements a 48-bit LCG RNG.

Note that 8 random alphanumeric characters can have at most ~47.6 bitsof entropy. So just improving RNG wouldn't help here.


--
Jakub Wilk

Reply to:

Follow-Ups:
- Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
  - From: Timo Juhani Lindfors <timo.lindfors@iki.fi>

References:
- devotee (debian vote engine): predictable RNG allows recovery of secret monikers
  - From: Timo Juhani Lindfors <timo.lindfors@iki.fi>

Prev by Date: Re: APT Signature verification public key
Next by Date: Bug#670261: ITP: libxml-tmx-perl -- Perl extensions for managing TMX files
Previous by thread: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
Next by thread: Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers
Index(es):
- Date
- Thread