10. Randomness and Determinism
“Alea iacta est.” [The die is cast]
—JULIUS CAESARon crossing the Rubicon
One software security issue that turns out to be a much bigger problem than many people realize involves misuse of random number generation facilities. Random numbers are important in security for generating cryptographic keys, shuffling cards, and many other things. Many developers assume that random()
and similar functions produce unpredictable results. Unfortunately, this is a flawed assumption. A call to random()
is really a call to a traditional “pseudo-random” number generator (PRNG) that happens to be quite predictable. Even some developers who are aware of the potential problems convince themselves that an attack is too difficult ...
Get Building Secure Software: How to Avoid Security Problems the Right Way now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.