mercredi 5 août 2015

Mixing other sources of random numbers with ones generated by /dev/urandom

Further to my question here, I'll be using the random_compat polyfill (which uses /dev/urandom) to generate random numbers in the 1 to 10,000,000 range.

I do realise, that all things being correct with how I code my project, the above tools should produce good (as in random/secure etc) data. However, I'd like to add extra sources of randomness into the mix - just in case 6 months down the line I read there is patch available for my specific OS version to fix a major bug in /dev/urandom (or any other issue).

So, I was thinking I can get numbers from random.org and fourmilab.ch/hotbits

An alternative source would be some logs from a web site I operate - timed to the microsecond, if I ignore the date/time part and just take the microseconds - this has in effect been generated by when humans decide to click on a link. I know this may be classed as haphazard rather than random, but would it be good for my use?

So let's say I take two sources of extra random numbers, A and B, and the output of /dev/urandom, call that U and set ranges as follows:

A and B are 1 - 500,000

U is 1 - 9,000,000

Final random number is A+B+U

I will be needing several million final numbers between 1 and 10,000,000

But the pool of A and B numbers will only contain a few thousand, but I think by using prime number amounts I can stretch that into millions of A&B combinations like so

// this pool will be integers from two sources and contain a larger prime number 
// of members instead of the 7 & 11 here - this sequence repeats at 77
$numbers = array("One","Two","Three","Four","Five","Six","Seven");
$colors = array("Silver","Gray","Black","Red","Maroon","Yellow","Olive","Lime","Green","Aqua","Orange");


$ni=0;
$ci=0;

for ($i=0;$i<$num_numbers_required;$i++) 
    {
    $offset =   $numbers[$ni] + $colors[$ci];

    if ($ni==6) // reset at prime num 7
        $ni=0;
    else
        $ni++;

    if ($ci==10) //  reset at  prime num 11
        $ci=0;
    else
        $ci++;

    }

Does this plan make sense - is there any possibility I can actually make my end result less secure by doing all this? And what of my idea to use timestamp data?

Thanks in advance.




Aucun commentaire:

Enregistrer un commentaire