What is the practical impact of using System.Random which is not cryptographically random?Soft question: Examples where lack of mathematical rigour cause security breaches?Cryptographically strong pseudo-random seq. generatorsGenerate random number which should depend on keyPractical benefit of using a KDF?Is it safe to combine System.Random with cryptographically secure pseudo-random number generators?What does it mean for a random number generator to be cryptographically secure?Correlation among Psuedo Random Sequences generated from seeds which are correlatedIs a large random number cryptographically equivalent to the product of multiple smaller ones?PRNGs which are not CSPRNGImpact of the hash algorithm on a PRNGPractical way to generate random numbers from PRNG which are indistinguishable from true random
What caused the end of cybernetic implants?
How did medieval manors handle population growth? Was there room for more fields to be ploughed?
Is Pathfinder 2e compatible with Pathfinder 1e, and D&D 3.5 and 3rd edition?
Why are JWST optics not enclosed like HST?
Necessity of tenure for lifetime academic research
Is there an in-universe explanation given to the senior Imperial Navy Officers as to why Darth Vader serves Emperor Palpatine?
Count the number of triangles
Why does Sauron not permit his followers to use his name?
Why doesn't Starship have four landing legs?
Moscow SVO airport, how to avoid scam taxis without pre-booking?
Did ancient peoples ever hide their treasure behind puzzles?
'Horseshoes' for Deer?
Is "survival" paracord with fire starter strand dangerous
Why is the Ellipsoid Method of polynomial complexity?
Is this homebrew "Faerie Fire Grenade" unbalanced?
Why do IR remotes influence AM radios?
How can I improve my formal definitions
What is the following VRP?
What's the difference between a variable and a memory location?
What is this "opened" cube called?
In what language did Túrin converse with Mím?
Did the Apollo Guidance Computer really use 60% of the world's ICs in 1963?
Has the number of the tribes of Israel anything to do with the universe/stars/planets?
Why does `buck` mean `step-down`?
What is the practical impact of using System.Random which is not cryptographically random?
Soft question: Examples where lack of mathematical rigour cause security breaches?Cryptographically strong pseudo-random seq. generatorsGenerate random number which should depend on keyPractical benefit of using a KDF?Is it safe to combine System.Random with cryptographically secure pseudo-random number generators?What does it mean for a random number generator to be cryptographically secure?Correlation among Psuedo Random Sequences generated from seeds which are correlatedIs a large random number cryptographically equivalent to the product of multiple smaller ones?PRNGs which are not CSPRNGImpact of the hash algorithm on a PRNGPractical way to generate random numbers from PRNG which are indistinguishable from true random
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.
But my question is this:
- What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?
keys random-number-generator key-derivation randomness pseudo-random-function
asked 9 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
$endgroup$
add a comment |
$begingroup$
I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.
But my question is this:
- What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?
keys random-number-generator key-derivation randomness pseudo-random-function
asked 9 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
$endgroup$
add a comment |
$begingroup$
I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.
But my question is this:
- What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?
keys random-number-generator key-derivation randomness pseudo-random-function
asked 9 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
$endgroup$
I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.
But my question is this:
- What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?
keys random-number-generator key-derivation randomness pseudo-random-function
keys random-number-generator key-derivation randomness pseudo-random-function
asked 9 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
asked 9 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
asked 9 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
asked 9 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
asked 9 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
2031 gold badge3 silver badges12 bronze badges
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.
What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.
Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].
Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.
That said, if the (secret) seed really is a 32-bit integer as the documentation suggests, the search space for the seed is so small you can exhaustively try all seeds and completely break everything about the system by finding the seed on the phone in your pocket while you're busy playing Candy Crush Saga and reading Instagram without even draining the battery once. This is so laughably insecure it is even worse than the Netscape SSL RNG bug that made news in 1996, and if you also know what time of day it was when the luser called System.Random, you can break it even faster.
answered 8 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
$endgroup$
add a comment |
$begingroup$
The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.
Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.
answered 3 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72908%2fwhat-is-the-practical-impact-of-using-system-random-which-is-not-cryptographical%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.
What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.
Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].
Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.
That said, if the (secret) seed really is a 32-bit integer as the documentation suggests, the search space for the seed is so small you can exhaustively try all seeds and completely break everything about the system by finding the seed on the phone in your pocket while you're busy playing Candy Crush Saga and reading Instagram without even draining the battery once. This is so laughably insecure it is even worse than the Netscape SSL RNG bug that made news in 1996, and if you also know what time of day it was when the luser called System.Random, you can break it even faster.
answered 8 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
$endgroup$
add a comment |
$begingroup$
What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.
What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.
Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].
Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.
That said, if the (secret) seed really is a 32-bit integer as the documentation suggests, the search space for the seed is so small you can exhaustively try all seeds and completely break everything about the system by finding the seed on the phone in your pocket while you're busy playing Candy Crush Saga and reading Instagram without even draining the battery once. This is so laughably insecure it is even worse than the Netscape SSL RNG bug that made news in 1996, and if you also know what time of day it was when the luser called System.Random, you can break it even faster.
answered 8 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
$endgroup$
add a comment |
$begingroup$
What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.
What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.
Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].
Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.
That said, if the (secret) seed really is a 32-bit integer as the documentation suggests, the search space for the seed is so small you can exhaustively try all seeds and completely break everything about the system by finding the seed on the phone in your pocket while you're busy playing Candy Crush Saga and reading Instagram without even draining the battery once. This is so laughably insecure it is even worse than the Netscape SSL RNG bug that made news in 1996, and if you also know what time of day it was when the luser called System.Random, you can break it even faster.
answered 8 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
$endgroup$
What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.
What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.
Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].
Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.
That said, if the (secret) seed really is a 32-bit integer as the documentation suggests, the search space for the seed is so small you can exhaustively try all seeds and completely break everything about the system by finding the seed on the phone in your pocket while you're busy playing Candy Crush Saga and reading Instagram without even draining the battery once. This is so laughably insecure it is even worse than the Netscape SSL RNG bug that made news in 1996, and if you also know what time of day it was when the luser called System.Random, you can break it even faster.
answered 8 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
edited 55 mins ago
answered 8 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
answered 8 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
answered 8 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
31.5k1 gold badge52 silver badges135 bronze badges
add a comment |
add a comment |
$begingroup$
The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.
Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.
answered 3 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
$endgroup$
add a comment |
$begingroup$
The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.
Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.
answered 3 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
$endgroup$
add a comment |
$begingroup$
The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.
Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.
answered 3 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
$endgroup$
The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.
Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.
answered 3 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
edited 3 hours ago
answered 3 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
answered 3 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
answered 3 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
1,84411 silver badges21 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72908%2fwhat-is-the-practical-impact-of-using-system-random-which-is-not-cryptographical%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
