[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: devotee (debian vote engine): predictable RNG allows recovery of secret monikers

* Timo Juhani Lindfors <timo.lindfors@iki.fi>, 2012-04-24, 12:56:
     my @chars = (0 .. 9, 'a' .. 'z', 'A' .. 'Z');
     $alias .=  join ("", map {$chars[rand $#chars]} 1..8);

On Debian systems the rand() function of perl uses drand48() from eglibc
which implements a 48-bit LCG RNG.

Note that 8 random alphanumeric characters can have at most ~47.6 bits of entropy. So just improving RNG wouldn't help here.

Jakub Wilk

Reply to: