View topic - More secure random numbers • AutoHotkey Community

View unanswered posts | View active topics

Board index » AutoHotkey » Scripts

All times are UTC [ DST ]

More secure random numbers

Page 2 of 4

[ 58 posts ]

Go to page Previous 1, 2, 3, 4 Next

Print view | E-mail friend

Previous topic | Next topic

Author

Message

Laszlo

Post subject:

Posted: October 24th, 2007, 10:49 pm

Joined: February 14th, 2005, 4:05 pm
Posts: 4710
Location: Boulder, CO

No, the last script was to demonstrate the fixed bits. You only need the GUID function from first post, and either RandR (for floating point random numbers) or RandI for random integers, also from the first post.

Top

Leon

Post subject:

Posted: October 24th, 2007, 11:32 pm

Joined: August 27th, 2007, 8:00 pm
Posts: 179

@Laszlo
Thanks. I've edited the code to my needs and it seems to be working fine.
I get the following which looks fine

Quote:

ed234b7cc39a849a41be48172e54f014
b13f45c20926a68c4ff9a9babeacc9d5
6234ee6a3b642aa749a6daf082dd45ca
946 1002 980 1051 962 991 1023 978 1049 1018

Could u please check my code below?
The lines commented with ;RandI were commented out as they are not necessary if using RandI instead of RandR - was I correct?
Also is there any advantage of RandR over RandI ?

Code:

;SetFormat float, 4.18               ;RandI

MsgBox % GUID()                     
MsgBox % GUID()
MsgBox % GUID()

;MsgBox % RandR()                    ;RandI            
;MsgBox % RandR()                    ;RandI                  
;MsgBox % RandR()                    ;RandI                    

Loop 10000                          
{
   f := RandI(0,9)                  
   d%f% += 1                        
}
MsgBox %d0%`n%d1%`n%d2%`n%d3%`n%d4%`n%d5%`n%d6%`n%d7%`n%d8%`n%d9%`n


GUID()         
{
   format = %A_FormatInteger%       
   SetFormat Integer, Hex           
   VarSetCapacity(A,16)
   DllCall("rpcrt4\UuidCreate","Str",A)
   Address := &A
   Loop 16
   {
      x := 256 + *Address          
      StringTrimLeft x, x, 3       
      h = %x%%h%                   
      Address++
   }
   SetFormat Integer, %format%     
   Return h
}

RandI(min,max) 
{
   VarSetCapacity(A,16)
   DllCall("rpcrt4\UuidCreate","Str",A)
   Address := &A - 1
   r = 0
   Loop 8
      r := (r + (*(Address+A_Index) ^ *(Address+A_Index+8)))/256.0
   Return min + Floor(r*(max-min+1))
}

Thanks for all your help

Top

Laszlo

Post subject:

Posted: October 24th, 2007, 11:50 pm

Joined: February 14th, 2005, 4:05 pm
Posts: 4710
Location: Boulder, CO

In AHK XOR is denoted by the caret symbol

Code:

*(Address+A_Index) ^ *(Address+A_Index+8))

The code takes bytes eight positions apart and XOR them, behind the scenes. The result is used, it has no fixed bits any more. (The result of the last loop tells that in 10,000 random numbers between 0 and 9 there were 946 zeros, 1002 ones, 980 twos…)

The code you posted is OK. RandR and RandI are used for different purposes. If you need random integers, use the later one, if you need floating point random numbers, used the former one.

Top

Leon

Post subject:

Posted: October 25th, 2007, 12:25 am

Joined: August 27th, 2007, 8:00 pm
Posts: 179

Aha! the caret!!

So for the pupose of creating a random number to use as a hash key, I would be better to use RandI, right?

Top

Laszlo

Post subject:

Posted: October 25th, 2007, 12:56 am

Joined: February 14th, 2005, 4:05 pm
Posts: 4710
Location: Boulder, CO

right

Top

Leon

Post subject:

Posted: October 25th, 2007, 1:07 am

Joined: August 27th, 2007, 8:00 pm
Posts: 179

Quote:

(The result of the last loop tells that in 10,000 random numbers between 0 and 9 there were 946 zeros, 1002 ones, 980 twos…)

I guess these could almost be used as extra numbers for hashing.
But they are so similar would it be of any use to do so?

Top

Laszlo

Post subject:

Posted: October 25th, 2007, 1:56 am

Joined: February 14th, 2005, 4:05 pm
Posts: 4710
Location: Boulder, CO

Of course, they are similar: these are the frequencies of random integers. If they are uniformly distributed, they should occur roughly the same number of times. It is actually a randomness test. If the deviation from the mean (1,000) is larger than 3σ (~100), we had a problem. Don’t use these numbers for other purposes: they are slow to generate and should be close together.

Top

Leon

Post subject:

Posted: October 25th, 2007, 2:19 am

Joined: August 27th, 2007, 8:00 pm
Posts: 179

I see.
So if I use the script below to generate a key for the purposes of hashing some unique info,
would it be worth including the randomness test in a such a system, combined with having the script check the difference between values (ie check randomness) and if they are not deemed random enough take alternative action (exit i assume)

Could including it for example, detect user interference (attempted hacking)?
Or are there also possible situations where a such a level of (inadequate) randomness could occur through no malicious intent by User?

Code:

MsgBox % GUID()

GUID()         
{
   format = %A_FormatInteger%       
   SetFormat Integer, Hex           
   VarSetCapacity(A,16)
   DllCall("rpcrt4\UuidCreate","Str",A)
   Address := &A
   Loop 16
   {
      x := 256 + *Address          
      StringTrimLeft x, x, 3       
      h = %x%%h%                   
      Address++
   }
   SetFormat Integer, %format%     
   Return h
}

Top

Laszlo

Post subject:

Posted: October 25th, 2007, 3:21 am

Joined: February 14th, 2005, 4:05 pm
Posts: 4710
Location: Boulder, CO

This test was posted to prove the concept. You don’t need it. Either the GUID’s are good, or you should see an error returned from DllCall(“rpcrt4\UuidCreate”,”Str”,A). Either the ErroLevel or the return value is nonzero, non-empty.

It is possible that an attacker replaces the rpcrt4.dll in the target PC, and generates bad GUID’s. However, if he is not stupid, he would generate random looking ID’s, (something like a truncated multiple of the time), so such a simple randomness test would not catch him, but he has a pretty good idea about the generated number. I would not bother testing the GUID’s, only possible errors, like

Code:

; ...
Result := DllCall(“rpcrt4\UuidCreate”,”Str”,A)
If (result or ErrorLevel)
   MsgBox GUID is not supported
; ...

With “generate a key for the purposes of hashing” you probably mean “a key for the purposes of encrypting”. These GUID’s can be good for crypto keys, but knowing nothing about the algorithm generating them, we cannot be sure. Some physical source of randomness could be safer.

Last edited by Laszlo on October 25th, 2007, 6:18 am, edited 1 time in total.

Top

Laszlo

Post subject:

Posted: October 25th, 2007, 3:44 am

Joined: February 14th, 2005, 4:05 pm
Posts: 4710
Location: Boulder, CO

Btw, for more recent AHK versions we can write the GUID function a little compacter

Code:

GUID() {
   format = %A_FormatInteger%
   SetFormat Integer, Hex
   VarSetCapacity(A,16)
   DllCall("rpcrt4\UuidCreate","Str",A)
   Loop 16
      h .= SubStr(256+NumGet(A,A_Index-1,"UChar"),-1)
   SetFormat Integer, %format%
   Return h
}

Top

Leon

Post subject:

Posted: October 25th, 2007, 4:00 am

Joined: August 27th, 2007, 8:00 pm
Posts: 179

Thanks for the more compact option.

Quote:

With “generate a key for the purposes of hashing” you probably mean “a key for the purposes of encrypting”

Yes I'm not too sure of the terminology there, so to clarify, I would like to use the Processor ID (globally unique and available from any processor as far as I know - correct me if I'm wrong)
and have it "interact" with the GUID in order to "disguise" it so as not to be dealing with people's private info.
By interact, I'm not yet sure what I mean. I guess multiplication?
Although that seems very simple.
Would it be better to use a method like the (K0, K1 etc) keys from your "SW copy protection" thread?

Top

Leon

Post subject:

Posted: October 25th, 2007, 4:05 am

Joined: August 27th, 2007, 8:00 pm
Posts: 179

Laszlo wrote:

I would not bother testing the GUID’s, only possible errors, like

Code:

; ...
Result = DllCall(“rpcrt4\UuidCreate”,”Str”,A)
If (result or ErrorLevel)
   MsgBox GUID is not supported
; ...

So it is possible for that to happen then - for GUIDs to not be supported? (only concerned with XP or later)
If so, do u have any experience / guess as to how likley /frequent that could happen?

Top

Laszlo

Post subject:

Posted: October 25th, 2007, 4:13 am

Joined: February 14th, 2005, 4:05 pm
Posts: 4710
Location: Boulder, CO

I think it would not happen in XP, 2003 or Vista.

...and here is an even shorter version, w/o the likely unnecessary error check:

Code:

GUID() {
   VarSetCapacity(A,16), S := "12"
   DllCall("rpcrt4\UuidCreate","Str",A)
   Loop 16
      DllCall("msvcrt\sprintf", Str,S, Str,"%02x", "Uchar",*(&A+A_Index-1)), h .= S
   Return h
}

Top

Leon

Post subject:

Posted: October 25th, 2007, 4:40 am

Joined: August 27th, 2007, 8:00 pm
Posts: 179

Thanks a lot Laszlo.

As a test i added the error check to the shortest code, but I got "GUID not supported". I have commented the various places i tried adding the error checking code.
Purely so I learn... where I am i wrong here?

Code:

;HERE   

GUID() {
   VarSetCapacity(A,16), S := "12"
   DllCall("rpcrt4\UuidCreate","Str",A)
   Result = DllCall(“rpcrt4\UuidCreate”,”Str”,A)
;HERE
   Loop 16
      DllCall("msvcrt\sprintf", Str,S, Str,"%02x", "Uchar",*(&A+A_Index-1)), h .= S
   Return h
}
MsgBox % GUID()
;HERE

Top

Laszlo

Post subject:

Posted: October 25th, 2007, 6:20 am

Joined: February 14th, 2005, 4:05 pm
Posts: 4710
Location: Boulder, CO

Sorry, there was a typo in the error check. We need ":=", not "=".

Code:

GUID() {
   VarSetCapacity(A,16), S := "12"
   DllCall("rpcrt4\UuidCreate","Str",A)
   Result := DllCall("rpcrt4\UuidCreate","Str",A)
   If (result or ErrorLevel)
      MsgBox % GUID is not supported
   Loop 16
      DllCall("msvcrt\sprintf", Str,S, Str,"%02x", "Uchar",*(&A+A_Index-1)), h .= S
   Return h
}

Top

Page 2 of 4

[ 58 posts ]

Go to page Previous 1, 2, 3, 4 Next

Board index » AutoHotkey » Scripts

All times are UTC [ DST ]

Who is online

Users browsing this forum: Relayer and 18 guests

You can post new topics in this forum
You can reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum