lua - (Secure) Random string? -


in lua, 1 generate random values, and/or strings using math.random & math.randomseed, os.time used math.randomseed.

this method has 1 major weakness; returned number random current time, and interval each random number one second, way long if 1 needs many random values in short time.

this issue pointed out lua users wiki: http://lua-users.org/wiki/mathlibrarytutorial, , corresponding randomstrings receipe: http://lua-users.org/wiki/randomstrings.

so i've sat down , wrote different algorithm (if can called that), generates random numbers (mis-)using memory addresses of tables:

math.randomseed(os.time()) function realrandom(maxlen)     local tbl = {}     local num = tonumber(string.sub(tostring(tbl), 8))     if maxlen ~= nil         num = num % maxlen     end     return num end  function string.random(length,pattern)     local length = length or 11     local pattern = pattern or '%a%d'     local rand = ""     local allchars = ""     loop=0, 255         allchars = allchars .. string.char(loop)     end     local str=string.gsub(allchars, '[^'..pattern..']','')     while string.len(rand) ~= length         local randidx = realrandom(string.len(str))         local randbyte = string.byte(str, randidx)         rand = rand .. string.char(randbyte)     end      return rand end

at first, seems random, , i'm sure are... @ least current program.

so question is, how random these numbers returned realrandom really?

or there better way generate random numbers in shorter interval 1 second (which kind of implies os.time shouldn't used, explaind above), without relying on external libraries, and, if possible, in entirely crossplatform manner?

edit:
there seems major misunderstanding regarding way rng seeded; in production code, call math.randomseed() happens once, badly chosen example here.

what mean the random value random once per second, demonstrated paste: http://codepad.org/4cdstpcd

as question downvoted regardless edits, cancelled accepted answer - in hope better one, if better opinions. understand issues regarding random values/numbers has been discussed many times before, have not found such question relevant lua - please keep in mind!

some thoughts on first part of question:

so question is, how random these numbers returned realrandom really?

your function attempting discover address of table using quirk of default implementation of tostring(). don't believe string returned tostring{} has specified format, or value included in string has documented meaning. in practice, derived address of something related specific table, , distinct tables convert distinct strings. however, next version of lua free change convenient. worse, format takes highly platform dependent because appears use %p format specifier sprintf() specified being sensible representation of pointer.

there's bigger issue. while address of nth table created in process might seem random on platform, tt might not random @ all. or might vary in few bits. example, on win7 box few bits vary, , not randomly:

 c:...>for /l %i in (1,1,20) @ lua -e "print{}" table: 0042e5d8 table: 0061e5d8 table: 0024e5d8 table: 0049e5d8 table: 0042e5d8 table: 0042e5d8 table: 0042e5d8 table: 0064e5d8 table: 0042e5d8 table: 002fe5d8 table: 0042e5d8 table: 0049e5d8 table: 0042e5d8 table: 0042e5d8 table: 0042e5d8 table: 0024e5d8 table: 0042e5d8 table: 0042e5d8 table: 0061e5d8 table: 0042e5d8

other platforms vary, of course. i'd expect there platforms address of first allocated table deterministic, , hence identical on every run of program.

in short, address of arbitrary object in process image not source of randomness.

edit: completeness, i'd add couple of other thoughts came mind on night.

the stock tostring() function supplied base library , implemented function luab_tostring(). relevant bit fragment:

switch (lua_type(l, 1)) {   ...   default:     lua_pushfstring(l, "%s: %p", lual_typename(l, 1), lua_topointer(l, 1));     break;

if calling function, end of string address, represented standard c sprintf() format %p, related specific table. 1 observation i've seen several distinct implementations %p. windows msvcr80.dll (the version of c library used current release of lua windows) makes equivalent %08x. ubuntu karmic koala box appears make equivalent %#x notably drops leading zeros. if going parse out part of string, should in way more flexible in face of variation of meaning of %p.

note, also, doing in library code may expose couple of surprises.

first, if table passed tostring() has metatable provides function __tostring(), function called, , fragment quoted above never executed @ all. in case, issue cannot arise because tables have individual metatables, , didn't accidentally apply metatable local table.

second, time module loads, other module or user-supplied code might have replaced stock tostring() else. if replacement benign, (such memoization wrapper) doesn't matter code written. however, source of attack, , entirely outside control of module. doesn't strike me idea if goal kind of improved security random seed material.

third, might not loaded in stock lua interpreter @ all, , larger application (lightroom, wow, wireshark, ...) may choose replace base library functions own implementations. less issue tostring(), note base library's print() frequent target replacement or removal in alternate implementations , there modules (lua lanes, one) break if print not implementation in base library.


Comments

Post a Comment

Popular posts from this blog

apache - Add omitted ? to URLs -

i working on website cms reads page name of query string, e.g. http://exmaple.com/?pagename . trying create rewrite rule rewrite ? . so, user types in /pagename , taken /?pagename try this: rewriteengine on rewritecond %{request_filename} !-d rewritecond %{request_filename} !-f rewriterule ^/?(.*) index.php?$1 [l]
Read more

redirect - bbPress Forum - rewrite to wwww.mysite prohibits login -

i using bbpress installation without wordpress integration. the redirect of rewriteengine @ forum site works: rewriteengine on rewritecond %{http_host} ^forum.mysite.com$ rewriterule (.*)$ http://www.forum.mysite.com/$1 [r=301,l] the problem login pppress. bbpress login not recognize: http://www.forum.mysite/bb-login.php . it redirects to: http://forum.mysite.com/bb-login.php . i tried permalink settings none , name based, same issue. does uses redirect in bbpress or how can eliminate "double" content , redirect permanently www.? i redirected www.forum.mysite.com forum.mysite.com , achieved eliminate "double" content.
Read more

php - How can I stop spam on my custom forum/blog? -

so have custom built forum & blog system of late has been dealing lot of spam. if wordpress use akismet, if different common platform i'm sure i'd find plugin. there kind of static class can download this? using php. i'd still go akismet, if it. uses outside of wordpress, may have pay fee it, depending on use -- check terms , conditions -- it's option , easy implement in php using api. use api key wordpress. com account access. basically, grab whichever php client library takes fancy -- use alex potsides' php5 library -- plug in key, , it's handful of lines of code. here's bare bones of validation straight 1 of live sites: ... if ($akismet) { $akismet->setcommentauthor($name); $akismet->setcommentauthoremail($session->userinfo["email"]); $akismet->setcommentauthorurl(""); $akismet->setcommentcontent($sentence);...
Read more