bug-classpath
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictab

From: lloyd at randombit dot net
Subject: [Bug crypto/38417] gnu.java.security.util.PRNG produces easily predictable values
Date: 5 Dec 2008 20:44:34 -0000 

------- Comment #2 from lloyd at randombit dot net  2008-12-05 20:44 -------
Created an attachment (id=16836)
 --> (http://gcc.gnu.org/bugzilla/attachment.cgi?id=16836&action=view)
C++ testcase that searches nearby time values

Here is what I am seeing:

$ g++ -Ibuild/include -L. guess_prng_output.cpp  -o guess_prng_output -lbotan 
$ gcj --main=PRNGTest prng.java -o prng
$ ./prng 
Time in ms is 1228509332707
e1bc6ebc96847774a843d3a73086a2f55b0bca86763729bb43fc4f3207966871e0be8a100efd4fc82
$  time ./guess_prng_output | grep -i =e1bc6
seed=1228509332707
hash=E1BC6EBC96847774A843D3A73086A2F55B0BCA86763729BB43FC4F3207966871E0BE8A00EFD4FC82

real    0m0.377s
user    0m0.368s
sys     0m0.006s

Obviously it produces a lot of other guesses, but not nearly as many as one
would hope it would take for it to guess a 320 bit long string.

Based on some very rough timings and estimates, it looks like it would take
about 8-12 hours to enumerate all keys for a year on a reasonably fast desktop
machine. Maybe much less with a bit of optimization work, since key search is
about the most embarrassingly parallel operation around and multicore chips are
cheap.


-- 


http://gcc.gnu.org/bugzilla/show_bug.cgi?id=38417
reply via email to
[Prev in Thread] Current Thread [Next in Thread]