If I retrieve a random number from a database (e.g. RAND() in SQL Server) or using a programming language and send this in some form back to a client machine, is there an economic chance I will be sending an indicator of what's in my server's memory that might form a security problem (like revealing my schema, etc)?
Asked
Active
Viewed 298 times
1
-
If you're using the output from `RAND` in a cryptographic sense, meaning not predictable, then yes it's a security risk. It depends on how it's intended to be used. If you're using it to display a different banner ad, then no. – Matthew Apr 30 '14 at 21:19
-
[Sharing your research helps everyone](http://meta.programmers.stackexchange.com/questions/6559/why-is-research-important). Tell us what you've tried and why it didn’t meet your needs. This demonstrates that you’ve taken the time to try to help yourself, it saves us from reiterating obvious answers, and most of all it helps you get a more specific and relevant answer. Also see [ask] – gnat Apr 30 '14 at 21:27
-
3@Matthew this is the difference between normal RNGs and cryptographic RNGs. The first is suitable for picking a banner ad, while the second is suitable for generating a symmetric key. – Apr 30 '14 at 21:35
-
1http://en.wikipedia.org/wiki/Random_number_generator_attack – psr Apr 30 '14 at 21:46
-
@gnat: I haven't done any research. I was mostly wondering what the takeaways were for the heartbleed thing. I didn't turn up any prior stuff on google or here that seemed like a good answer. – micahhoover May 01 '14 at 12:44
-
2@psr: Assuming the OP isn't using the numbers for anything requiring "secure" randomness, I would interpret his question as asking whether an attacker who could control the timing of multiple calls to `rand()` and observe the results would be able to use such abilities to compromise any other aspect of the system. If `rand()` used a globally-shared state and wasn't called very often, but some kind of request would end up calling rand() some number of times which could be affected by confidential data, that could be a security hole even if the values returned by rand() were not... – supercat Dec 04 '14 at 17:35
-
...used in any way that would require real security. The real security hole in that situation, however, would be with code that allowed any form of globally-accessible state to be affected in a predictable fashion by what was supposed to be confidential information. – supercat Dec 04 '14 at 17:36
2 Answers
9
No, the specific thing that you are concerned about (inspired by Heartbleed?) will not happen. A random number generator does not simply pull bytes from memory (that's not very random). You can assume that the random number generator will not leak private information to clients.
Greg Hewgill
- 10,181
- 1
- 46
- 45
-
-
A minor caveat: You can **generally** assume that the random number generator will not leak private information to clients. A random generator will have been written to NOT expose your data, but all software can have bugs. If your "economic" chance is measured in the millions of dollars, you're probably okay. Most of the major RNGs have been tested pretty heavily. If your "economic" chance is measured in high billions or trillions or national security, it is worth auditing the random number generator *just to make sure*. – Cort Ammon Dec 06 '14 at 15:51
2
The only part of memory used is a designated buffer which is used only for the number generation.
The real risk of RNG is predictability, for key generation you need random data, if it isn't random an attacker can guess the key and break your encrypted data.
ratchet freak
- 25,706
- 2
- 62
- 97
-
2Or do other things. There was an interesting case in Las Vegas some years back. A mathematician observed some electronic gambling machine in operation, realized that the random number generator it used was not all that good, and proceeded to "play" the machine for a LARGE amount of money. The casino sued, claiming he cheated. I never heard how the lawsuit came out. – John R. Strohm Apr 30 '14 at 21:40