There are two types of PRNGs: statistical and cryptographic. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG. Since Rand() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. This code uses the Rand() function to generate "unique" identifiers for the receipt pages it generates. Since CL_ABAP_RANDOM is a statistical PRNG, it is easy for an attacker to guess the strings it generates. This code uses the CL_ABAP_RANDOM->INT31 function to generate "unique" identifiers for the receipt pages it generates. R = cl_abap_random=>create( seed = var1 ).ĬONCATENATE baseUrl var3 ".html" INTO baseUrl. In general, if a PRNG algorithm is not advertised as being cryptographically secure, then it is probably a statistical PRNG and should not be used in security-sensitive contexts, where its use can lead to serious vulnerabilities such as easy-to-guess temporary passwords, predictable cryptographic keys, session hijacking, and DNS spoofing.Įxample: The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase.įORM GenerateReceiptURL CHANGING baseUrl TYPE string. For a value to be cryptographically secure, it must be impossible or highly improbable for an attacker to distinguish between the generated random value and a truly random value. Cryptographic PRNGs address this problem by generating output that is more difficult to predict. Statistical PRNGs provide useful statistical properties, but their output is highly predictable and form an easy to reproduce numeric stream that is unsuitable for use in cases where security depends on generated values being unpredictable. Pseudorandom Number Generators (PRNGs) approximate randomness algorithmically, starting with a seed from which subsequent values are calculated. Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in a security-sensitive context.Ĭomputers are deterministic machines, and as such are unable to produce true randomness.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |