What is the practical impact of using System.Random which is not cryptographically random?Soft question: Examples where lack of mathematical rigour cause security breaches?Cryptographically strong pseudo-random seq. generatorsGenerate random number which should depend on keyPractical benefit of using a KDF?Is it safe to combine System.Random with cryptographically secure pseudo-random number generators?What does it mean for a random number generator to be cryptographically secure?Correlation among Psuedo Random Sequences generated from seeds which are correlatedIs a large random number cryptographically equivalent to the product of multiple smaller ones?PRNGs which are not CSPRNGImpact of the hash algorithm on a PRNGPractical way to generate random numbers from PRNG which are indistinguishable from true random

What caused the end of cybernetic implants?

How did medieval manors handle population growth? Was there room for more fields to be ploughed?

Is Pathfinder 2e compatible with Pathfinder 1e, and D&D 3.5 and 3rd edition?

Why are JWST optics not enclosed like HST?

Necessity of tenure for lifetime academic research

Is there an in-universe explanation given to the senior Imperial Navy Officers as to why Darth Vader serves Emperor Palpatine?

Count the number of triangles

Why does Sauron not permit his followers to use his name?

Why doesn't Starship have four landing legs?

Moscow SVO airport, how to avoid scam taxis without pre-booking?

Did ancient peoples ever hide their treasure behind puzzles?

'Horseshoes' for Deer?

Is "survival" paracord with fire starter strand dangerous

Why is the Ellipsoid Method of polynomial complexity?

Is this homebrew "Faerie Fire Grenade" unbalanced?

Why do IR remotes influence AM radios?

How can I improve my formal definitions

What is the following VRP?

What's the difference between a variable and a memory location?

What is this "opened" cube called?

In what language did Túrin converse with Mím?

Did the Apollo Guidance Computer really use 60% of the world's ICs in 1963?

Has the number of the tribes of Israel anything to do with the universe/stars/planets?

Why does `buck` mean `step-down`?



What is the practical impact of using System.Random which is not cryptographically random?


Soft question: Examples where lack of mathematical rigour cause security breaches?Cryptographically strong pseudo-random seq. generatorsGenerate random number which should depend on keyPractical benefit of using a KDF?Is it safe to combine System.Random with cryptographically secure pseudo-random number generators?What does it mean for a random number generator to be cryptographically secure?Correlation among Psuedo Random Sequences generated from seeds which are correlatedIs a large random number cryptographically equivalent to the product of multiple smaller ones?PRNGs which are not CSPRNGImpact of the hash algorithm on a PRNGPractical way to generate random numbers from PRNG which are indistinguishable from true random






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








1












$begingroup$


I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.



But my question is this:



  • What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?









share|improve this question









$endgroup$




















    1












    $begingroup$


    I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.



    But my question is this:



    • What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?









    share|improve this question









    $endgroup$
















      1












      1








      1





      $begingroup$


      I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.



      But my question is this:



      • What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?









      share|improve this question









      $endgroup$




      I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.



      But my question is this:



      • What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?






      keys random-number-generator key-derivation randomness pseudo-random-function






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked 9 hours ago









      learnerXlearnerX

      2031 gold badge3 silver badges12 bronze badges




      2031 gold badge3 silver badges12 bronze badges























          2 Answers
          2






          active

          oldest

          votes


















          3













          $begingroup$

          What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.



          What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.



          Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].



          Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.




          That said, if the (secret) seed really is a 32-bit integer as the documentation suggests, the search space for the seed is so small you can exhaustively try all seeds and completely break everything about the system by finding the seed on the phone in your pocket while you're busy playing Candy Crush Saga and reading Instagram without even draining the battery once. This is so laughably insecure it is even worse than the Netscape SSL RNG bug that made news in 1996, and if you also know what time of day it was when the luser called System.Random, you can break it even faster.






          share|improve this answer











          $endgroup$






















            2













            $begingroup$

            The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.



            Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.






            share|improve this answer











            $endgroup$

















              Your Answer








              StackExchange.ready(function()
              var channelOptions =
              tags: "".split(" "),
              id: "281"
              ;
              initTagRenderer("".split(" "), "".split(" "), channelOptions);

              StackExchange.using("externalEditor", function()
              // Have to fire editor after snippets, if snippets enabled
              if (StackExchange.settings.snippets.snippetsEnabled)
              StackExchange.using("snippets", function()
              createEditor();
              );

              else
              createEditor();

              );

              function createEditor()
              StackExchange.prepareEditor(
              heartbeatType: 'answer',
              autoActivateHeartbeat: false,
              convertImagesToLinks: false,
              noModals: true,
              showLowRepImageUploadWarning: true,
              reputationToPostImages: null,
              bindNavPrevention: true,
              postfix: "",
              imageUploader:
              brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
              contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
              allowUrls: true
              ,
              noCode: true, onDemand: true,
              discardSelector: ".discard-answer"
              ,immediatelyShowMarkdownHelp:true
              );



              );













              draft saved

              draft discarded


















              StackExchange.ready(
              function ()
              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72908%2fwhat-is-the-practical-impact-of-using-system-random-which-is-not-cryptographical%23new-answer', 'question_page');

              );

              Post as a guest















              Required, but never shown

























              2 Answers
              2






              active

              oldest

              votes








              2 Answers
              2






              active

              oldest

              votes









              active

              oldest

              votes






              active

              oldest

              votes









              3













              $begingroup$

              What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.



              What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.



              Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].



              Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.




              That said, if the (secret) seed really is a 32-bit integer as the documentation suggests, the search space for the seed is so small you can exhaustively try all seeds and completely break everything about the system by finding the seed on the phone in your pocket while you're busy playing Candy Crush Saga and reading Instagram without even draining the battery once. This is so laughably insecure it is even worse than the Netscape SSL RNG bug that made news in 1996, and if you also know what time of day it was when the luser called System.Random, you can break it even faster.






              share|improve this answer











              $endgroup$



















                3













                $begingroup$

                What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.



                What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.



                Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].



                Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.




                That said, if the (secret) seed really is a 32-bit integer as the documentation suggests, the search space for the seed is so small you can exhaustively try all seeds and completely break everything about the system by finding the seed on the phone in your pocket while you're busy playing Candy Crush Saga and reading Instagram without even draining the battery once. This is so laughably insecure it is even worse than the Netscape SSL RNG bug that made news in 1996, and if you also know what time of day it was when the luser called System.Random, you can break it even faster.






                share|improve this answer











                $endgroup$

















                  3














                  3










                  3







                  $begingroup$

                  What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.



                  What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.



                  Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].



                  Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.




                  That said, if the (secret) seed really is a 32-bit integer as the documentation suggests, the search space for the seed is so small you can exhaustively try all seeds and completely break everything about the system by finding the seed on the phone in your pocket while you're busy playing Candy Crush Saga and reading Instagram without even draining the battery once. This is so laughably insecure it is even worse than the Netscape SSL RNG bug that made news in 1996, and if you also know what time of day it was when the luser called System.Random, you can break it even faster.






                  share|improve this answer











                  $endgroup$



                  What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.



                  What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.



                  Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].



                  Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.




                  That said, if the (secret) seed really is a 32-bit integer as the documentation suggests, the search space for the seed is so small you can exhaustively try all seeds and completely break everything about the system by finding the seed on the phone in your pocket while you're busy playing Candy Crush Saga and reading Instagram without even draining the battery once. This is so laughably insecure it is even worse than the Netscape SSL RNG bug that made news in 1996, and if you also know what time of day it was when the luser called System.Random, you can break it even faster.







                  share|improve this answer














                  share|improve this answer



                  share|improve this answer








                  edited 55 mins ago

























                  answered 8 hours ago









                  Squeamish OssifrageSqueamish Ossifrage

                  31.5k1 gold badge52 silver badges135 bronze badges




                  31.5k1 gold badge52 silver badges135 bronze badges


























                      2













                      $begingroup$

                      The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.



                      Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.






                      share|improve this answer











                      $endgroup$



















                        2













                        $begingroup$

                        The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.



                        Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.






                        share|improve this answer











                        $endgroup$

















                          2














                          2










                          2







                          $begingroup$

                          The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.



                          Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.






                          share|improve this answer











                          $endgroup$



                          The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.



                          Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.







                          share|improve this answer














                          share|improve this answer



                          share|improve this answer








                          edited 3 hours ago

























                          answered 3 hours ago









                          rmalayterrmalayter

                          1,84411 silver badges21 bronze badges




                          1,84411 silver badges21 bronze badges






























                              draft saved

                              draft discarded
















































                              Thanks for contributing an answer to Cryptography Stack Exchange!


                              • Please be sure to answer the question. Provide details and share your research!

                              But avoid


                              • Asking for help, clarification, or responding to other answers.

                              • Making statements based on opinion; back them up with references or personal experience.

                              Use MathJax to format equations. MathJax reference.


                              To learn more, see our tips on writing great answers.




                              draft saved


                              draft discarded














                              StackExchange.ready(
                              function ()
                              StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72908%2fwhat-is-the-practical-impact-of-using-system-random-which-is-not-cryptographical%23new-answer', 'question_page');

                              );

                              Post as a guest















                              Required, but never shown





















































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown

































                              Required, but never shown














                              Required, but never shown












                              Required, but never shown







                              Required, but never shown







                              Popular posts from this blog

                              Canceling a color specificationRandomly assigning color to Graphics3D objects?Default color for Filling in Mathematica 9Coloring specific elements of sets with a prime modified order in an array plotHow to pick a color differing significantly from the colors already in a given color list?Detection of the text colorColor numbers based on their valueCan color schemes for use with ColorData include opacity specification?My dynamic color schemes

                              Invision Community Contents History See also References External links Navigation menuProprietaryinvisioncommunity.comIPS Community ForumsIPS Community Forumsthis blog entry"License Changes, IP.Board 3.4, and the Future""Interview -- Matt Mecham of Ibforums""CEO Invision Power Board, Matt Mecham Is a Liar, Thief!"IPB License Explanation 1.3, 1.3.1, 2.0, and 2.1ArchivedSecurity Fixes, Updates And Enhancements For IPB 1.3.1Archived"New Demo Accounts - Invision Power Services"the original"New Default Skin"the original"Invision Power Board 3.0.0 and Applications Released"the original"Archived copy"the original"Perpetual licenses being done away with""Release Notes - Invision Power Services""Introducing: IPS Community Suite 4!"Invision Community Release Notes

                              199年 目錄 大件事 到箇年出世嗰人 到箇年死嗰人 節慶、風俗習慣 導覽選單