Author Topic: Words can't describe....  (Read 7036 times)

0 Members and 2 Guests are viewing this topic.

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Words can't describe....
« on: December 06, 2006, 03:53:57 pm »
One of the first computer things to make me really laugh out loud.  This is from The Daily WTF:

J.S. Bangs sends us today's snippit located deep within a Java codebase he's maintaining. The function, getRandomBits() returns a 32-byte array of random bites for security purposes. Since Java provides a Random method, this should be easy; in fact a proper implementation can be writting in five lines:
Code: [Select]
public static byte[] getRandomBits() {
  byte[] random = new byte[32];
  Random.nextBytes(random);
  return random;
}
Of course, J.S.'s predecessor found a more interesting way to do things. His version of getRandomBits did its job by:

* Enumerate all of the System properties
* Create an MD4 hash of all of the property key/value pairs
* Do a bitwise-XOR of the various hashes
* Throw in an MD4 hash of the current system time so that the value isn't always the same
* Bitwise-XOR that in there as well
* Return the result
The best thing J.S. could say about this code was "at least it's commented". I don't believe it within my ability however to do this code justice, so without futher to do:
Code: [Select]
    public static byte[] innerGetRandomBits() {
        int pos = 0;
        int iters = 0;

        bits = new byte[(nbits + 7) / 8];

        for (int i = 0; i < bits.length; i++)
            bits[i] = (byte) 0;
       
        Enumeration e = null;
        try {
            e = System.getProperties().propertyNames();
        } catch (Exception ex) {
            // no need to do anything
        }

        MD4 hash = new MD4();
        int hash_count = 0;
        int hash_bytes = 0;

        long ms = System.currentTimeMillis();
        byte[] bytes = new byte[12];
        for (int i = 0; i < 8; i++) {
            bytes[i] = (byte) (ms & 0xffL);
            ms = ms >> 8;
        }
        int hn = System.identityHashCode(bytes);
        for (int i = 0; i < 4; i++) {
            bytes[i + 8] = (byte) (hn & 0xffL);
            hn = hn >> 8;
        }

        if (e != null)
            while (e.hasMoreElements()) {
                String key = (String) e.nextElement();
                if (key != null) {
                    String val = System.getProperty(key);
                    if (val != null) {

                        String pair = key + val;
                        bytes = pair.getBytes();
                        hash.engineUpdate(bytes, 0, bytes.length);
                        hash_bytes += bytes.length;

                        // when the hash input size is large enough ...
                        if (hash_bytes >= 128) {
                            hash_count++;
                            hash_bytes = 0;

                            // ... produce a digest and ...
                            byte[] digest = hash.engineDigest();
                            for (int i = 0; i < digest.length; i++) {

                                // ...fold it into the bit buffer
                                bits[pos] = (byte) (bits[pos] ^ digest[i]);
                                pos++;
                                if (pos == bits.length) {
                                    pos = 0;
                                    iters++;
                                }
                            } // end for
                        } // end if hash_bytes
                    } // end if val non null
                } // end if key non null
            } // end while e.hasMoreElements

        while (iters < 2) {
            for (int j = 512 / 8; j > 0; j--) {
                Thread.yield();
                ms = System.currentTimeMillis();
                for (int i = 0; i < 8; i++) {
                    bytes[i] = (byte) (ms & 0xffL);
                    ms = ms >> 8;
                }
                hash.engineUpdate(bytes, 0, 8);
                hash_bytes += 8;

                // when the hash input size is large enough ...
                if (hash_bytes >= 128) {
                    hash_count++;
                    hash_bytes = 0;

                    // ... produce a digest and ...
                    byte[] digest = hash.engineDigest();
                    for (int i = 0; i < digest.length; i++) {

                        // ...fold it into the bit buffer
                        bits[pos] = (byte) (bits[pos] ^ digest[i]);
                        pos++;
                        if (pos == bits.length) {
                            pos = 0;
                            iters++;
                        }
                    } // end for
                } // end if hash_bytes
            } // end for
        } // end while iters

        return bits;
    }
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline AntiVirus

  • Legendary
  • x86
  • Hero Member
  • *****
  • Posts: 2521
  • Best
    • View Profile
Re: Words can't describe....
« Reply #1 on: December 06, 2006, 04:56:40 pm »
Lmfao, what a waste of time and effort!
The once grove of splendor,
Aforetime crowned by lilac and lily,
Lay now forevermore slender;
And all winds that liven
Silhouette a lone existence;
A leafless oak grasping at eternity.


"They say that I must learn to kill before I can feel safe, but I rather kill myself then turn into their slave."
- The Rasmus

Offline disco

  • Full Member
  • ***
  • Posts: 212
  • Comfortably Numb
    • View Profile
Re: Words can't describe....
« Reply #2 on: December 06, 2006, 05:11:59 pm »
I don't get it.

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Words can't describe....
« Reply #3 on: December 06, 2006, 05:22:29 pm »
HAHAHA!

I don't get it.

He makes the method far more difficult, inefficient and painful than is necessary.  I'm pretty sure the creators of Java made a decent random number generator.  This guy's idea is totally asinine.

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Words can't describe....
« Reply #4 on: December 06, 2006, 05:49:02 pm »
Yea... I think it's less random than the API's Random.

Hilarious!

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Words can't describe....
« Reply #5 on: December 07, 2006, 07:52:00 pm »
Yea... I think it's less random than the API's Random.

It's definitely no more random than the API's.  Random without a seed will produce the same sequence given the same start time.  So will this.  The only difference is, Random is mathematically distributed, whereas hashing is not.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline Towelie

  • pwnstar
  • x86
  • Hero Member
  • *****
  • Posts: 4873
    • View Profile
Re: Words can't describe....
« Reply #6 on: December 07, 2006, 11:54:10 pm »
HAHAHA!

I don't get it.

He makes the method far more difficult, inefficient and painful than is necessary.  I'm pretty sure the creators of Java made a decent random number generator.  This guy's idea is totally asinine.
Reminds me of the redneck dictionary. "I'll give her face a two, and her asinine (ass a nine)"
Anyways, rofl!

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Words can't describe....
« Reply #7 on: December 08, 2006, 12:05:30 am »
Reminds me of the redneck dictionary. "I'll give her face a two, and her asinine (ass a nine)"
Anyways, rofl!

The word 'asinine' reminds you of the redneck dictionary?  Hmm... :-\

;)

Offline disco

  • Full Member
  • ***
  • Posts: 212
  • Comfortably Numb
    • View Profile
Re: Words can't describe....
« Reply #8 on: December 08, 2006, 12:38:20 am »
HAHAHA!

I don't get it.

He makes the method far more difficult, inefficient and painful than is necessary.  I'm pretty sure the creators of Java made a decent random number generator.  This guy's idea is totally asinine.
Reminds me of the redneck dictionary. "I'll give her face a two, and her asinine (ass a nine)"
Anyways, rofl!

I don't get it.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Words can't describe....
« Reply #9 on: December 08, 2006, 08:27:39 am »
Yea... I think it's less random than the API's Random.

It's definitely no more random than the API's.  Random without a seed will produce the same sequence given the same start time.  So will this.  The only difference is, Random is mathematically distributed, whereas hashing is not.

Hashing isn't?  I thought the point of a good hashing algorithm is that it IS randomly distributed?

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Words can't describe....
« Reply #10 on: December 08, 2006, 09:51:26 am »
With hashing, given a static set of values you should always hash the same result... doesn't sound random to me ;)

Offline Joe

  • B&
  • x86
  • Hero Member
  • *****
  • Posts: 10319
  • In Soviet Russia, text read you!
    • View Profile
    • Github
Re: Words can't describe....
« Reply #11 on: December 08, 2006, 10:17:19 am »
System time isn't a static value, though.
I'd personally do as Joe suggests

You might be right about that, Joe.


Offline AntiVirus

  • Legendary
  • x86
  • Hero Member
  • *****
  • Posts: 2521
  • Best
    • View Profile
Re: Words can't describe....
« Reply #12 on: December 08, 2006, 11:08:51 am »
I'm not really sure what hashing is, but I know you can seed the random generator with the time(NULL) function.  The random generator is only "random" if you seed it with different starting numbers.
The once grove of splendor,
Aforetime crowned by lilac and lily,
Lay now forevermore slender;
And all winds that liven
Silhouette a lone existence;
A leafless oak grasping at eternity.


"They say that I must learn to kill before I can feel safe, but I rather kill myself then turn into their slave."
- The Rasmus

Offline Chavo

  • x86
  • Hero Member
  • *****
  • Posts: 2219
  • no u
    • View Profile
    • Chavoland
Re: Words can't describe....
« Reply #13 on: December 08, 2006, 11:23:05 am »
System time isn't a static value, though.
He's hashing time system properties (semi-static) and combining it with a hash of system time (non-static).  I don't think it takes a genius  to figure out that a static value + a random value is not more random than a random value by itself.  Furthermore, if you modulate a random number by a static number, you get a less random number.

Offline deadly7

  • 42
  • x86
  • Hero Member
  • *****
  • Posts: 6496
    • View Profile
Re: Words can't describe....
« Reply #14 on: December 08, 2006, 06:46:56 pm »
Reminds me of the redneck dictionary. "I'll give her face a two, and her asinine (ass a nine)"
Anyways, rofl!

The word 'asinine' reminds you of the redneck dictionary?  Hmm... :-\

;)
In the case that you weren't kidding (highly improbable) and for disco's knowledge: See: Blue Collar TV.
[17:42:21.609] <Ergot> Kutsuju you're girlfrieds pussy must be a 403 error for you
 [17:42:25.585] <Ergot> FORBIDDEN

on IRC playing T&T++
<iago> He is unarmed
<Hitmen> he has no arms?!

on AIM with a drunk mythix:
(00:50:05) Mythix: Deadly
(00:50:11) Mythix: I'm going to fuck that red dot out of your head.
(00:50:15) Mythix: with my nine

Offline MyndFyre

  • Boticulator Extraordinaire
  • x86
  • Hero Member
  • *****
  • Posts: 4540
  • The wait is over.
    • View Profile
    • JinxBot :: the evolution in boticulation
Re: Words can't describe....
« Reply #15 on: December 08, 2006, 07:53:00 pm »
Yea... I think it's less random than the API's Random.

It's definitely no more random than the API's.  Random without a seed will produce the same sequence given the same start time.  So will this.  The only difference is, Random is mathematically distributed, whereas hashing is not.

Hashing isn't?  I thought the point of a good hashing algorithm is that it IS randomly distributed?

Well, I said "mathematically distributed," not "randomly distributed."

In any case, Random when initialized without a seed will produce a sequence of numbers based on the system time when it is first initialized.

Producing a hash of static input will always produce the same result.  Hashing isn't about producing random output but about producing consistent output given arbitrary input; in some measures, a CRC32 (32-bit cyclic redundancy check) could be considered a hash because it always produces the same output given the same input.

The "randomness" of a given function is a characteristic of how much input difference is required to get different output.  In this case, since the input difference that really makes the difference is the system time, they are equally random.
I have a programming folder, and I have nothing of value there

Running with Code has a new home!

Our species really annoys me.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Words can't describe....
« Reply #16 on: December 09, 2006, 02:12:40 pm »
Well, I said "mathematically distributed," not "randomly distributed."

In any case, Random when initialized without a seed will produce a sequence of numbers based on the system time when it is first initialized.

Producing a hash of static input will always produce the same result.  Hashing isn't about producing random output but about producing consistent output given arbitrary input; in some measures, a CRC32 (32-bit cyclic redundancy check) could be considered a hash because it always produces the same output given the same input.

The "randomness" of a given function is a characteristic of how much input difference is required to get different output.  In this case, since the input difference that really makes the difference is the system time, they are equally random.
"Producing a hash of static input will always produce the same result" is correct, but like you said, using a random function with static input will, as well.  If you seed a good hash function and you seed a good random function, both with random values, you should get comparably secure outputs. 

Both hash functions and random functions are designed to distribute the result evenly/randomly/unpredictably. 

The main difference between the two is that hash functions are far, far slower than random functions, so it's not realistic to use them in many cases.  But given a proper seed, I don't think there's a huge difference.