From: Russ Cox <rsc@swtch.com>
To: Paul Winalski <paul.winalski@gmail.com>
Cc: Douglas McIlroy <douglas.mcilroy@dartmouth.edu>,
TUHS main list <tuhs@tuhs.org>
Subject: [TUHS] Re: early unix rand
Date: Tue, 12 Mar 2024 21:22:53 -0400 [thread overview]
Message-ID: <CADSkJJX0H4LJ9baU55sn2=egCbjnn+9dvbkpKMsQ0hEJDUTLQw@mail.gmail.com> (raw)
In-Reply-To: <CABH=_VSR8ETtzuGssj12jBOvHoBtnXMDmoWWtUiH33NKMLQUcw@mail.gmail.com>
[-- Attachment #1: Type: text/plain, Size: 1609 bytes --]
On Tue, Mar 12, 2024 at 12:23 PM Paul Winalski <paul.winalski@gmail.com>
wrote:
> On 3/12/24, Douglas McIlroy <douglas.mcilroy@dartmouth.edu> wrote:
> >
> > That was a memorable
> > error. Guessing that the passwords were generated by
> > a simple encoding of the output of rand, Ken promptly
> > broke 100% of the newly "hardened" password file.
>
> To do that wouldn't you need to know the seed value that was used? Or
> did this version of rand() always generate the same sequence of
> pseudo-random numbers?
Any LCG-based version of rand (including, say, java.lang.Math.random)
always generates the same periodic sequence of numbers; the seed only
controls where in the sequence you start (you start where the seed appears).
Worse, any LCG-based rand truncated to k bits is itself just a periodic
sequence of the 2^k possible truncations. The trivial k=1 case of this is
that if
you look at the bottom bit of successive rand outputs on any of these
generators, it is always alternating between even and odd, no matter
what constants you pick. (Almost. If you pick bad constants you could
get all even or all odd instead.)
I don't know what the simple BSD encoding was, but those two facts
combined mean that an example of an encoding that would be easily broken
would be to pick a fixed-length sequence of letters drawn from
"abcdefghijklmnopqrstuvwxyz123456"[rand()&31].
That would just produce the same 32-character permutation
over and over again, so there would only be 32 possible passwords,
depending only on where in the sequence you start.
Best,
Russ
[-- Attachment #2: Type: text/html, Size: 2240 bytes --]
next prev parent reply other threads:[~2024-03-13 1:23 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-12 14:37 [TUHS] " Douglas McIlroy
2024-03-12 16:23 ` [TUHS] " Paul Winalski
2024-03-12 16:47 ` [TUHS] Re: NSFW passwords William Cheswick
2024-03-13 1:22 ` Russ Cox [this message]
2024-03-12 16:32 ` [TUHS] Re: early unix rand Ken Thompson
-- strict thread matches above, loose matches on Subject: below --
2024-03-12 12:55 [TUHS] " Russ Cox
2024-03-12 18:08 ` [TUHS] " Russ Cox
2024-03-12 23:05 ` Jonathan Gray
2024-03-13 1:09 ` ron minnich
2024-03-13 16:41 ` ron minnich
2024-03-13 17:17 ` ron minnich
2024-03-13 20:25 ` Rob Pike
2024-03-13 20:34 ` Clem Cole
2024-03-14 19:24 ` Dave Horsfall
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CADSkJJX0H4LJ9baU55sn2=egCbjnn+9dvbkpKMsQ0hEJDUTLQw@mail.gmail.com' \
--to=rsc@swtch.com \
--cc=douglas.mcilroy@dartmouth.edu \
--cc=paul.winalski@gmail.com \
--cc=tuhs@tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).