What is the practical impact of using System.Random which is not cryptographically random?Soft question: Examples where lack of mathematical rigour cause security breaches?Cryptographically strong pseudo-random seq. generatorsGenerate random number which should depend on keyPractical benefit of using a KDF?Is it safe to combine System.Random with cryptographically secure pseudo-random number generators?What does it mean for a random number generator to be cryptographically secure?Correlation among Psuedo Random Sequences generated from seeds which are correlatedIs a large random number cryptographically equivalent to the product of multiple smaller ones?PRNGs which are not CSPRNGImpact of the hash algorithm on a PRNGPractical way to generate random numbers from PRNG which are indistinguishable from true random
What checks exist against overuse of presidential pardons in the USA?
Pen test results for web application include a file from a forbidden directory that is not even used or referenced
How to investigate an unknown 1.5GB file named "sudo" in my Linux home directory?
In Endgame, wouldn't Stark have remembered Hulk busting out of the stairwell?
Is "survival" paracord with fire starter strand dangerous
What caused the end of cybernetic implants?
Can two aircraft be allowed to stay on the same runway at the same time?
RAID0 instead of RAID1 or 5, is this crazy?
How to save money by shopping at a variety of grocery stores?
Group by consecutive index numbers
Count the number of triangles
Do universities maintain secret textbooks?
What is the purpose of Strength, Intelligence and Dexterity in Path of Exile?
Create a list of snaking numbers under 50,000
How to differentiate between two people with the same name in a story?
Give Lightning Web Component a Prettier Name
Wrong Stamping of UK Visa
Is there an in-universe explanation given to the senior Imperial Navy Officers as to why Darth Vader serves Emperor Palpatine?
What is this "opened" cube called?
Why is there no Disney logo in MCU movies?
Can I lend a small amount of my own money to a bank at the federal funds rate?
Do application leftovers have any impact on performance?
Moscow SVO airport, how to avoid scam taxis without pre-booking?
Don't look at what I did there
What is the practical impact of using System.Random which is not cryptographically random?
Soft question: Examples where lack of mathematical rigour cause security breaches?Cryptographically strong pseudo-random seq. generatorsGenerate random number which should depend on keyPractical benefit of using a KDF?Is it safe to combine System.Random with cryptographically secure pseudo-random number generators?What does it mean for a random number generator to be cryptographically secure?Correlation among Psuedo Random Sequences generated from seeds which are correlatedIs a large random number cryptographically equivalent to the product of multiple smaller ones?PRNGs which are not CSPRNGImpact of the hash algorithm on a PRNGPractical way to generate random numbers from PRNG which are indistinguishable from true random
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;
$begingroup$
I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.
But my question is this:
- What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?
keys random-number-generator key-derivation randomness pseudo-random-function
asked 8 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
$endgroup$
add a comment |
$begingroup$
I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.
But my question is this:
- What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?
keys random-number-generator key-derivation randomness pseudo-random-function
asked 8 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
$endgroup$
add a comment |
$begingroup$
I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.
But my question is this:
- What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?
keys random-number-generator key-derivation randomness pseudo-random-function
asked 8 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
$endgroup$
I recently noticed a .NET software using PBKDF to derive an encryption key from a password string. This password string was dynamically generated using System.Random. Now, I know that System.Random is not really cryptographically random and should not be used for security purposes. Moreover, there are several flaws in .NET's implementation of System.Random.
But my question is this:
- What is the practical impact of using System.Random to create a password string and deriving a key from it. Is it really possible for us to reproduce the key at a later time? Are there feasible attacks that will allow me to deduce the random string generated in this context with high probability? Or is it the kind of vulnerability that can only be exploited in specific "lab" conditions or scenarios?
keys random-number-generator key-derivation randomness pseudo-random-function
keys random-number-generator key-derivation randomness pseudo-random-function
asked 8 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
asked 8 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
asked 8 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
asked 8 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
asked 8 hours ago
learnerXlearnerX
2031 gold badge3 silver badges12 bronze badges
2031 gold badge3 silver badges12 bronze badges
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
$begingroup$
What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.
What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.
Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].
Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
$endgroup$
add a comment |
$begingroup$
The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.
Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.
answered 2 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
$endgroup$
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "281"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72908%2fwhat-is-the-practical-impact-of-using-system-random-which-is-not-cryptographical%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
$begingroup$
What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.
What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.
Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].
Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
$endgroup$
add a comment |
$begingroup$
What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.
What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.
Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].
Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
$endgroup$
add a comment |
$begingroup$
What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.
What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.
Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].
Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
$endgroup$
What cryptographers will tell you is that if the password has high enough min-entropy, then your system will not be breakable in certain particular ways if you use certain cryptography.
What cryptographers will not do is lift a finger to break your pet project, because it's a lot of work to find a ‘feasible’ attack, and negligible reward—unless they actually get a specific reward from your system because they are the adversary trying to exploit your users, in which case they aren't going to share their findings with you.
Cryptographers only bother attacking real systems in the wild when they are particularly high-value, like TLS, and particularly many users might be at particularly high risk because of shoddy choices like RC4 that the engineers drag their feet about changing, despite the fact that RC4 was broken within 48 hours of its publication[1] and cryptanalysts kept finding worse[2] and worse[3] problems in it. That's why cryptanalysts bothered studying the specific use of RC4 in WPA and TLS[4][5][6], for example. The same thing happened with bespoke kooky constructions in SSH, TLS, and PGP[7].
Don't be the engineer responsible for making a shoddy cryptographic decision that will inspire cryptanalysts to poke holes in your system years down the road. Follow cryptographers' advice the first time around, to save the cryptanalysts' effort and to let them focus on cryptosystems that will be broadly used like NIST PQC, to improve security for everyone.
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
edited 6 hours ago
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
answered 7 hours ago
Squeamish OssifrageSqueamish Ossifrage
31.5k1 gold badge52 silver badges135 bronze badges
31.5k1 gold badge52 silver badges135 bronze badges
add a comment |
add a comment |
$begingroup$
The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.
Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.
answered 2 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
$endgroup$
add a comment |
$begingroup$
The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.
Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.
answered 2 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
$endgroup$
add a comment |
$begingroup$
The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.
Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.
answered 2 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
$endgroup$
The official documentation for System.Random explicitly says it should not be used for generating passwords. It’s predictable, and seeded only from the system clock. This means System.Random has at most 20 bits of entropy to anyone who has a clock accurate to within a second.
Indeed, try creating two new instances in quick succession on different threads; they will produce the same output! I have encountered exactly this issue in an audit of real-world password reset code in a SaaS application. The same passwords were being sent to multiple users in the real world. You could predict those passwords easily if you guessed/knew that System.Random with base64 encoding was being used to generate reset passwords.
answered 2 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
edited 2 hours ago
answered 2 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
answered 2 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
answered 2 hours ago
rmalayterrmalayter
1,84411 silver badges21 bronze badges
1,84411 silver badges21 bronze badges
add a comment |
add a comment |
Thanks for contributing an answer to Cryptography Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
Use MathJax to format equations. MathJax reference.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fcrypto.stackexchange.com%2fquestions%2f72908%2fwhat-is-the-practical-impact-of-using-system-random-which-is-not-cryptographical%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
