Forum: Ruby Secure Random Number Generator

Announcement (2017-05-07): www.ruby-forum.com is now read-only since I unfortunately do not have the time to support and maintain the forum any more. Please see rubyonrails.org/community and ruby-lang.org/en/community for other Rails- und Ruby-related community platforms.
Dave K. (Guest)
on 2007-03-13 06:57
(Received via mailing list)
Hi-
    Is there a secure random number generator for Ruby that works on
Windows and Linux?

Thanks,
Dave
M. Edward (Ed) Borasky (Guest)
on 2007-03-13 07:03
(Received via mailing list)
Dave K. wrote:
> Hi-
>     Is there a secure random number generator for Ruby that works on
> Windows and Linux?
>
> Thanks,
> Dave
>
>
>
Remind me again how a random number generator can be insecure ...

--
M. Edward (Ed) Borasky, FBG, AB, PTA, PGS, MS, MNLP, NST, ACMC(P)
http://borasky-research.blogspot.com/

If God had meant for carrots to be eaten cooked, He would have given
rabbits fire.
Gary W. (Guest)
on 2007-03-13 07:40
(Received via mailing list)
On Mar 13, 2007, at 1:03 AM, M. Edward (Ed) Borasky wrote:

> Dave K. wrote:
>> Hi-
>>     Is there a secure random number generator for Ruby that works on
>> Windows and Linux?

I'm assuming he means sufficiently random for cryptographic purposes.
Some pseudo-random number generators don't meet that requirement.

The Ruby 1.9 source code for random says:

   This is based on trimmed version of MT19937.  To get the original
version,
   contact <http://www.math.keio.ac.jp/~matumoto/emt.html>.

The docs for Kernel#rand say

    Ruby currently uses a modified Mersenne Twister with a period of
219937-1.

I'm not a crypto geek but I'm guessing that a Mersenne Twister algorithm
doesn't have sufficient entropy for crypto purposes.

As a proof of concept I whipped up this for MacOSX.  It gets random data
from /dev/urandom, which based on the man page is better source of
random
data (Yarrow pseudo random number generator with entropy injected by the
MacOSX SecurityServer).  I'm not claiming this is good for crypto work
either, just that it looks better than the Mersenne Twister.  I think
this
would work on Linux also since it has /dev/urandom.  I got nothing for
Windows.

module Kernel
   # Return bytes from /dev/urandom.
   # With no arguments, urandom grabs four bytes and returns them as an
   # unsigned integer.  With an integer argument, urandom returns a
string
   # of that size filled with bytes from /dev/urandom.
   def urandom(size=nil)
     result = File.open('/dev/urandom') { |x| x.read(size || 4) }
     size && result || result.unpack("L").first
   end
end

Gary W.
unknown (Guest)
on 2007-03-13 07:51
(Received via mailing list)
On Tue, 13 Mar 2007, Gary W. wrote:

> I got nothing for Windows.

don't you just have to run any 'ol code to get random numbers on
windows? ;-)

(ducks)

-a
Husein C. (Guest)
on 2007-03-13 07:53
(Received via mailing list)
http://raa.ruby-lang.org/search.rhtml?search=random+number

On 3/13/07, Dave K. <removed_email_address@domain.invalid> wrote:
> Hi-
>     Is there a secure random number generator for Ruby that works on
> Windows and Linux?
>
> Thanks,
> Dave
>
>


--
Husein C.,
CEO, CTO
Yucca Intelligence Development
http://www.YuccaHQ.com

We make the web a better place!
Bill K. (Guest)
on 2007-03-13 08:05
(Received via mailing list)
From: <removed_email_address@domain.invalid>
> On Tue, 13 Mar 2007, Gary W. wrote:
>
>> I got nothing for Windows.
>
> don't you just have to run any 'ol code to get random numbers on windows? ;-)

:D

I would propose installing registry-access-hooks to monitor and
generate random bits from all the trojan horses continually rewriting
dozens of registry keys per second to ensure they can't be deleted.


Regards,

Bill  (who found a very, very tenacious trojan on his win xp box
recently)
       (check your windows/system32 folder for a hidden file called
pmnnl.dll)
Joel VanderWerf (Guest)
on 2007-03-13 10:14
(Received via mailing list)
Dave K. wrote:
> Hi-
>     Is there a secure random number generator for Ruby that works on
> Windows and Linux?

Is ISAAC[1] secure enough for you?

I think Kirk H. posted his implementation somewhere. (I've got one
too, but I never released it.)

[1] http://www.burtleburtle.net/bob/rand/isaac.html
unknown (Guest)
on 2007-03-14 03:52
(Received via mailing list)
On Tue, 13 Mar 2007, Joel VanderWerf wrote:

> Dave K. wrote:
>> Hi-
>>     Is there a secure random number generator for Ruby that works on
>> Windows and Linux?
>
> Is ISAAC[1] secure enough for you?
>
> I think Kirk H. posted his implementation somewhere. (I've got one too,
> but I never released it.)

Crypt::ISAAC.  I have a small update to it (that includes a pure C
implementation that someone else donated) that I will try to get
uploaded.
May not get it done until after the MountainWest Rubyconf, though.


Kirk H.
Dave K. (Guest)
on 2007-03-14 06:29
(Received via mailing list)
Yeah I look at that, I was actually having trouble getting the setup.rb
script to run in Windows.  It's fine for me to copy it over but I was
going to use it in an article and didn't want to have to explain how to
manually install it.  Then again it could just be my laptop, I'll try it
on another computer tomorrow.  Also, I noticed you said you were working
on better seeding for Windows, does the current seeding effect the
randomness much?

Thanks,
Dave
This topic is locked and can not be replied to.