“Alea iacta est.” [The die is cast]
—JULIUS CAESARon crossing the Rubicon
One software security issue that turns out to be a much bigger problem than many people realize involves misuse of random number generation facilities. Random numbers are important in security for generating cryptographic keys, shuffling cards, and many other things. Many developers assume that
random() and similar functions produce unpredictable results. Unfortunately, this is a flawed assumption. A call to
random() is really a call to a traditional “pseudo-random” number generator (PRNG) that happens to be quite predictable. Even some developers who are aware of the potential problems convince themselves that an attack is too difficult ...