On 09/08/2013 11:56 PM, Jerry Leichter wrote:
Which brings into the light the question:  Just *why* have so many random 
number generators proved to be so weak.

Your three cases left off an important one: Not bothering to seed the PRNG at all. I think the Java/Android cryptographic (!) library bug that just came up was an instance of that.

I think the root of the problem is that programs are written, and bugs squashed, until the program works. Maybe throw some additional testing at it if we are being thorough, but then business pressures and boredom says ship it.

That won't catch a PRNG that wasn't seeded, nor a hashed password that wasn't salted, the unprotected URL, the SQL injection path, buffer overflow, etc.

Computer security is design, implementation, and skepticism. But unless you can sell it with a buzzword...


-kb

_______________________________________________
The cryptography mailing list
cryptography@metzdowd.com
http://www.metzdowd.com/mailman/listinfo/cryptography

Reply via email to