[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Lynx-dev] predictable PRNG used

From: Thorsten Glaser
Subject: Re: [Lynx-dev] predictable PRNG used
Date: Sun, 5 Jul 2009 17:31:58 +0000 (UTC)

Michael S. Gilbert dixit:

>i'm triaging this issue for linux, and i don't believe that it has an
>arc4random implementation.

There are several implementations; I wrote one based on
jrand48 but self-seeding from /proc/sys/kernel/random_uuid
for klibc (not really using aRC4, but sharing the API),
Debian libbsd has one (available in Lenny on all arches),
contains another one, OpenSSH comes with one.

>so this would mean that lynx is using the
>very insecure linear congruential algorithm

lrand48 at least doesn't expose the entire seed, so
you'd still need quite some effort to find it out.


Some things are another issue actually. For example,
OpenSSL is separate from this _again_. There is no
JavaScipt(tm) in Lynx, luckily, so that one wouldn't
be affected either. You'd really have to look where
entropy is used in the source code.

“It is inappropriate to require that a time represented as
 seconds since the Epoch precisely represent the number of
 seconds between the referenced time and the Epoch.”
        -- IEEE Std 1003.1b-1993 (POSIX) Section B.2.2.2

reply via email to

[Prev in Thread] Current Thread [Next in Thread]