<a href="http://g.adspeed.net/ad.php?do=clk&zid=15220&wd=468&ht=60&pair=as" target="_blank"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15220&wd=468&ht=60&pair=as" alt="i" width="468" height="60"/></a>
Log in
::
Register
::
Not logged in
Home
Tags
Articles
Editorials
Stairways
Forums
Scripts
Videos
Blogs
QotD
Books
Ask SSC
SQL Jobs
Training
Authors
About us
Contact us
Newsletters
Write for us
<a href="http://g.adspeed.net/ad.php?do=clk&zid=15491&wd=120&ht=300&pair=as" target="_top"><img style="border:0px;" src="http://g.adspeed.net/ad.php?do=img&zid=15491&wd=120&ht=300&pair=as" alt="i" width="120" height="300"/></a>
Recent Posts
Recent Posts
Popular Topics
Popular Topics
Home
Search
Members
Calendar
Who's On
Home
»
SQL Server 2008
»
T-SQL (SS2K8)
»
Issue with crypt_gen_random
14 posts, Page 2 of 2
««
1
2
Issue with crypt_gen_random
Rate Topic
Display Mode
Topic Options
Author
Message
Jeff Moden
Jeff Moden
Posted Tuesday, February 19, 2013 9:22 AM
SSC-Dedicated
Group: General Forum Members
Last Login: Today @ 12:30 PM
Points: 32,893,
Visits: 26,770
Got it. Thanks for the clarification, Nadrek.
It would, however, be interesting to see how someone might reverse engineer things to be able to pick the next random number without it being "cryto secure". There are a whole lot of apparent sequences that can be had out of a NEWID().
--Jeff Moden
"
RBAR
is pronounced "ree-bar" and is a "Modenism" for "
R
ow-
B
y-
A
gonizing-
R
ow".
First step towards the paradigm shift of writing Set Based code:
Stop thinking about what you want to do to a row... think, instead, of what you want to do to a column."
For better, quicker answers on T-SQL questions, click on the following...
http://www.sqlservercentral.com/articles/Best+Practices/61537/
For better answers on performance questions, click on the following...
http://www.sqlservercentral.com/articles/SQLServerCentral/66909/
Post #1421717
Nadrek
Nadrek
Posted Tuesday, February 19, 2013 9:40 AM
Say Hey Kid
Group: General Forum Members
Last Login: Monday, May 13, 2013 9:25 AM
Points: 670,
Visits: 2,026
No problem, Jeff.
Note that it's not as much about guessing the next value as it is about some output patterns being more likely than others. Perhaps every third bit has a 65% +-2% chance of being a 1, instead of a 50% chance. Perhaps exactly three 0's in a row never happens. Perhaps the pseudo-random number cycle repeats every 64K. Perhaps there's only a 20% chance of a 1 if the value 32 bits prior was a 1.
If you want to see some of this, try running of your NEWID() generators, set it for binary-type output, and run a couple gigabytes of data or so into something like the
Dieharder test suite
, and see what the results are - I'll lay very good odds there are noticeable patterns in the output.
References:
NIST SP 800-22 A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
DRAFT NIST SP 800-90C A Statistical Test Suite for Random and Pseudorandom Number Generators for Cryptographic Applications
Post #1421725
_simon_
_simon_
Posted Wednesday, February 20, 2013 4:13 AM
SSC-Enthusiastic
Group: General Forum Members
Last Login: Monday, May 06, 2013 3:52 AM
Points: 156,
Visits: 648
Well the point is, that my application is under frequend audits by our client and the random number generator is an important part of it (i am creating lottery games) and therefore it should be as strong as possible. We aren't using any hardware random number generators, so something from inside the 'system' should be used.
From this point of view - I can defend my random number generator (
http://en.wikipedia.org/wiki/CryptGenRandom
,
http://www.codinghorror.com/blog/2006/11/computers-are-lousy-random-number-generators.html
), but not the newid() function.
Post #1422017
Paul White
Paul White
Posted Wednesday, February 20, 2013 4:26 AM
SSChampion
Group: General Forum Members
Last Login: Wednesday, May 08, 2013 10:33 AM
Points: 10,989,
Visits: 10,529
_simon_ (2/20/2013)
Well the point is, that my application is under frequend audits by our client and the random number generator is an important part of it (i am creating lottery games) and therefore it should be as strong as possible. We aren't using any hardware random number generators, so something from inside the 'system' should be used.
From this point of view - I can defend my random number generator (
http://en.wikipedia.org/wiki/CryptGenRandom
,
http://www.codinghorror.com/blog/2006/11/computers-are-lousy-random-number-generators.html
), but not the newid() function.
Seems like an entirely sound use of a CLR function to me.
Paul White
SQL Server MVP
SQLblog.com
@SQL_Kiwi
Post #1422023
« Prev Topic
|
Next Topic »
14 posts, Page 2 of 2
««
1
2
Permissions
You
cannot
post new topics.
You
cannot
post topic replies.
You
cannot
post new polls.
You
cannot
post replies to polls.
You
cannot
edit your own topics.
You
cannot
delete your own topics.
You
cannot
edit other topics.
You
cannot
delete other topics.
You
cannot
edit your own posts.
You
cannot
edit other posts.
You
cannot
delete your own posts.
You
cannot
delete other posts.
You
cannot
post events.
You
cannot
edit your own events.
You
cannot
edit other events.
You
cannot
delete your own events.
You
cannot
delete other events.
You
cannot
send private messages.
You
cannot
send emails.
You
may
read topics.
You
cannot
rate topics.
You
cannot
vote within polls.
You
cannot
upload attachments.
You
may
download attachments.
You
cannot
post HTML code.
You
cannot
edit HTML code.
You
cannot
post IFCode.
You
cannot
post JavaScript.
You
cannot
post EmotIcons.
You
cannot
post or upload images.
Copyright © 2002-2013 Simple Talk Publishing. All Rights Reserved.
Privacy Policy.
Terms of Use.
Report Abuse.
