while studying some security things, there was a question that one can guess the generation of some sequence for rand (timestamp) running in webserver. He said that our first goal should crash the server (assuming that server will get up in 1 min), we can sync our generator with server and then rand (timestamp) generated by the webserver could be same with our generator.
I am confuse, if we have a function rand (timestamp) would not it be depend on system timestamp or on server “up time” stamp?
P.S:
Asking a general question – its not dependent if it is in JAVA/PHP/ASP. Just asking how webserver/compiler work for such code?
May be its vague question but i would like to make clarification.
The default behaviour of many implementions of
rand(), is to use the system time as a seed if a seed value is not supplied. Even if that is not the default behaviour, it is almost guaranteed that an application will pass the system time tosrand()as a seed to randomise the sequence.So, if you know the precise system time, you can generate the same sequence that would be produced from the remote system calling
rand(). Several years ago, an online casino was attacked using this random sequence prediction technique.The solution is two-fold: derive the seed from a non-predictable hardware source (there are commercial units to this) AND use the longest pseudo-number generator available.
There have been many questions on SO on the topic of hardware generators, for instance:
What Type of Random Number Generator is Used in the Gaming Industry?
Alternative Entropy Sources