One of the first computer things to make me really laugh out loud. This is from The Daily WTF (http://thedailywtf.com):
J.S. Bangs sends us today's snippit located deep within a Java codebase he's maintaining. The function, getRandomBits() returns a 32-byte array of random bites for security purposes. Since Java provides a Random method, this should be easy; in fact a proper implementation can be writting in five lines:
public static byte[] getRandomBits() {
byte[] random = new byte[32];
Random.nextBytes(random);
return random;
}
Of course, J.S.'s predecessor found a more interesting way to do things. His version of getRandomBits did its job by:
* Enumerate all of the System properties
* Create an MD4 hash of all of the property key/value pairs
* Do a bitwise-XOR of the various hashes
* Throw in an MD4 hash of the current system time so that the value isn't always the same
* Bitwise-XOR that in there as well
* Return the result
The best thing J.S. could say about this code was "at least it's commented". I don't believe it within my ability however to do this code justice, so without futher to do:
public static byte[] innerGetRandomBits() {
int pos = 0;
int iters = 0;
bits = new byte[(nbits + 7) / 8];
for (int i = 0; i < bits.length; i++)
bits[i] = (byte) 0;
Enumeration e = null;
try {
e = System.getProperties().propertyNames();
} catch (Exception ex) {
// no need to do anything
}
MD4 hash = new MD4();
int hash_count = 0;
int hash_bytes = 0;
long ms = System.currentTimeMillis();
byte[] bytes = new byte[12];
for (int i = 0; i < 8; i++) {
bytes[i] = (byte) (ms & 0xffL);
ms = ms >> 8;
}
int hn = System.identityHashCode(bytes);
for (int i = 0; i < 4; i++) {
bytes[i + 8] = (byte) (hn & 0xffL);
hn = hn >> 8;
}
if (e != null)
while (e.hasMoreElements()) {
String key = (String) e.nextElement();
if (key != null) {
String val = System.getProperty(key);
if (val != null) {
String pair = key + val;
bytes = pair.getBytes();
hash.engineUpdate(bytes, 0, bytes.length);
hash_bytes += bytes.length;
// when the hash input size is large enough ...
if (hash_bytes >= 128) {
hash_count++;
hash_bytes = 0;
// ... produce a digest and ...
byte[] digest = hash.engineDigest();
for (int i = 0; i < digest.length; i++) {
// ...fold it into the bit buffer
bits[pos] = (byte) (bits[pos] ^ digest[i]);
pos++;
if (pos == bits.length) {
pos = 0;
iters++;
}
} // end for
} // end if hash_bytes
} // end if val non null
} // end if key non null
} // end while e.hasMoreElements
while (iters < 2) {
for (int j = 512 / 8; j > 0; j--) {
Thread.yield();
ms = System.currentTimeMillis();
for (int i = 0; i < 8; i++) {
bytes[i] = (byte) (ms & 0xffL);
ms = ms >> 8;
}
hash.engineUpdate(bytes, 0, 8);
hash_bytes += 8;
// when the hash input size is large enough ...
if (hash_bytes >= 128) {
hash_count++;
hash_bytes = 0;
// ... produce a digest and ...
byte[] digest = hash.engineDigest();
for (int i = 0; i < digest.length; i++) {
// ...fold it into the bit buffer
bits[pos] = (byte) (bits[pos] ^ digest[i]);
pos++;
if (pos == bits.length) {
pos = 0;
iters++;
}
} // end for
} // end if hash_bytes
} // end for
} // end while iters
return bits;
}
Lmfao, what a waste of time and effort!
I don't get it.
HAHAHA!
Quote from: disco on December 06, 2006, 05:11:59 PM
I don't get it.
He makes the method far more difficult, inefficient and painful than is necessary. I'm pretty sure the creators of Java made a decent random number generator. This guy's idea is totally asinine.
Yea... I think it's less random than the API's Random.
Hilarious!
Quote from: unTactical on December 06, 2006, 05:49:02 PM
Yea... I think it's less random than the API's Random.
It's definitely no more random than the API's. Random without a seed will produce the same sequence given the same start time. So will this. The only difference is, Random is mathematically distributed, whereas hashing is not.
Quote from: Sidoh on December 06, 2006, 05:22:29 PM
HAHAHA!
Quote from: disco on December 06, 2006, 05:11:59 PM
I don't get it.
He makes the method far more difficult, inefficient and painful than is necessary. I'm pretty sure the creators of Java made a decent random number generator. This guy's idea is totally asinine.
Reminds me of the redneck dictionary. "I'll give her face a two, and her asinine (ass a nine)"
Anyways, rofl!
Quote from: Towelie on December 07, 2006, 11:54:10 PM
Reminds me of the redneck dictionary. "I'll give her face a two, and her asinine (ass a nine)"
Anyways, rofl!
The word 'asinine' reminds you of the redneck dictionary? Hmm... :-\
;)
Quote from: Towelie on December 07, 2006, 11:54:10 PM
Quote from: Sidoh on December 06, 2006, 05:22:29 PM
HAHAHA!
Quote from: disco on December 06, 2006, 05:11:59 PM
I don't get it.
He makes the method far more difficult, inefficient and painful than is necessary. I'm pretty sure the creators of Java made a decent random number generator. This guy's idea is totally asinine.
Reminds me of the redneck dictionary. "I'll give her face a two, and her asinine (ass a nine)"
Anyways, rofl!
I don't get it.
Quote from: MyndFyrex86] link=topic=8090.msg101887#msg101887 date=1165539120]
Quote from: unTactical on December 06, 2006, 05:49:02 PM
Yea... I think it's less random than the API's Random.
It's definitely no more random than the API's. Random without a seed will produce the same sequence given the same start time. So will this. The only difference is, Random is mathematically distributed, whereas hashing is not.
Hashing isn't? I thought the point of a good hashing algorithm is that it IS randomly distributed?
With hashing, given a static set of values you should always hash the same result... doesn't sound random to me ;)
System time isn't a static value, though.
I'm not really sure what hashing is, but I know you can seed the random generator with the time(NULL) function. The random generator is only "random" if you seed it with different starting numbers.
Quote from: Joex86] link=topic=8090.msg101946#msg101946 date=1165591039]
System time isn't a static value, though.
He's hashing time system properties (semi-static) and combining it with a hash of system time (non-static). I don't think it takes a genius to figure out that a static value + a random value is not more random than a random value by itself. Furthermore, if you modulate a random number by a static number, you get a
less random number.
Quote from: Sidoh on December 08, 2006, 12:05:30 AM
Quote from: Towelie on December 07, 2006, 11:54:10 PM
Reminds me of the redneck dictionary. "I'll give her face a two, and her asinine (ass a nine)"
Anyways, rofl!
The word 'asinine' reminds you of the redneck dictionary? Hmm... :-\
;)
In the case that you weren't kidding (highly improbable) and for disco's knowledge: See: Blue Collar TV.
Quote from: iago on December 08, 2006, 08:27:39 AM
Quote from: MyndFyrex86] link=topic=8090.msg101887#msg101887 date=1165539120]
Quote from: unTactical on December 06, 2006, 05:49:02 PM
Yea... I think it's less random than the API's Random.
It's definitely no more random than the API's. Random without a seed will produce the same sequence given the same start time. So will this. The only difference is, Random is mathematically distributed, whereas hashing is not.
Hashing isn't? I thought the point of a good hashing algorithm is that it IS randomly distributed?
Well, I said "mathematically distributed," not "randomly distributed."
In any case, Random when initialized without a seed will produce a sequence of numbers based on the system time when it is first initialized.
Producing a hash of static input will always produce the same result. Hashing isn't about producing random output but about producing consistent output given arbitrary input; in some measures, a CRC32 (32-bit cyclic redundancy check) could be considered a hash because it always produces the same output given the same input.
The "randomness" of a given function is a characteristic of how much input difference is required to get different output. In this case, since the input difference that really makes the difference is the system time, they are equally random.
Quote from: MyndFyrex86] link=topic=8090.msg102004#msg102004 date=1165625580]
Well, I said "mathematically distributed," not "randomly distributed."
In any case, Random when initialized without a seed will produce a sequence of numbers based on the system time when it is first initialized.
Producing a hash of static input will always produce the same result. Hashing isn't about producing random output but about producing consistent output given arbitrary input; in some measures, a CRC32 (32-bit cyclic redundancy check) could be considered a hash because it always produces the same output given the same input.
The "randomness" of a given function is a characteristic of how much input difference is required to get different output. In this case, since the input difference that really makes the difference is the system time, they are equally random.
"Producing a hash of static input will always produce the same result" is correct, but like you said, using a random function with static input will, as well. If you seed a good hash function and you seed a good random function, both with random values, you should get comparably secure outputs.
Both hash functions and random functions are designed to distribute the result evenly/randomly/unpredictably.
The main difference between the two is that hash functions are far, far slower than random functions, so it's not realistic to use them in many cases. But given a proper seed, I don't think there's a huge difference.