Oh. I see. The author says in the the comments of his 10 line Perl script that it is a "cryptographically secure random number generator", and so you take that at face value and believe it?
Or, perhaps, you might investigate what makes it such. For example, you might see the reference to a third party library and wonder what that's about. And if your investigations of that didn't lead you to suitable information, you might come back and ask one or two questions of the author. Like maybe, what makes this cryptographically secure as opposed to the current best-of-breed PRNG, the Mersenne Twister.
Or then again, maybe you wouldn't. But of course, you don't have to, because I already did that.
You might also wonder about the security of a CSPRNG that exposes itself to 'remote code execution vulnerabilities'. Or not. But again, you do not have to, because I already did that too.
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.
| [reply] |
Like maybe, what makes this cryptographically secure as opposed to the current best-of-breed PRNG, the Mersenne Twister.
Look, no need to attack me for this, I'm a Mersenne Twister fan myself, but the authors of the MT themselves say in big blinking letters do not use for cryptographic purposes. Surely you must have read that?
I have no idea if the algorithm here is suitable. The author himself says it is. That is clearly a difference in positioning. I have no use for cryptographic purposes, so I don't feel the need to investigate. And now, fuck off.
| [reply] |
I am back as the author of this posting. Finally to respond !!
The "cryptographic" is important form the standpoint of some
games like computer backgammon that use some neural net learning algorithm. The game algorithm may be hacking the Pseudo Random Number generator's algorithm rather than game
strategy itself or a combination of both. So by randomizing the seed (gathering entropy ) from Current Time, process ID, Memory info, and so on, (As described about for
CryptGenRandom() API that CAPICOM uses) a human or machine
has a harder time figuring out what LCRNG you are using.
Remember, a random number generator is no longer random if its seed and algorithm are known.
The srand documentation shows a simple unix entropy example:
srand(time ^ $$ ^ unpack "%32L*", `ps auxw | gzip`);
You want to seed your generator with as much entropy or in plain English "garbage" or "noise" bits.
Having said that, Intel has a hardware resistor noise intereface to further add to the entropy pool. I am not sure
how to use that in CAPICOM. The Intel site doesn't seem
to indicate that Windows XP is supported.
| [reply] |
