Real random numbers are generated using physical phenomena such as throwing coins, dice, wheels, noise using electronic components, nuclear fission, and so on. Such a random number generator is called the physical random number generator, although very reliable, but the use of computers is difficult to achieve, their disadvantage is that the technical requirements are relatively high.
The use of pseudo-random numbers in practical applications is sufficient. These sequences appear to be random numbers, and in fact they are produced by a fixed, repeatable calculation method. The random number generated by the computer has a very long periodicity. They are not really random, because they can actually be computed, but they have statistical characteristics similar to random numbers. Such generators are called pseudo-random number generators.
Pseudo-random numbers have strong and weak points. Strong pseudo-random number refers to the relatively difficult to guess the number of random numbers, such as the amount of memory used by the server as a random number, and the weak pseudo-random number is relatively easy to guess the random number, typical example is the current timestamp and so on.
C, C + +, Java and other programming languages and software have a corresponding random number generation function or class. In our most commonly used Java language example, the strong pseudo-random number RNG implements the Java.security.SecureRandom class, which uses values such as the size of the Temp folder, the thread sleep time, and so on as a random number seed, while the weak pseudo-random number implements PRNG The Java.util.Random class, which uses the current time as a seed by default, and computes the next random number using the linear congruence method.
New // 10000 as seed, the current time is used as the seed by default for (int i=0;i<5;++i) { System.out.println (R.nextint ());}
The above code, no matter how you run will print the following results:
-498702880
-858606152
1942818232
-1044940345
1588429001
This is a stable result. This is due to the consequences of linearity and congruential. Well, in our program, if you generate a random number using the random class, it's actually easy to infer the next random number by the last random number generated.
Next, let's analyze some common random number scenarios and analyze the causes of the errors.
Many account systems have a recover password function, retrieve the password to the phone to send the verification code, to the mailbox to send the verification code or reset the password link, the above all use pseudo-random number.
The following is a Web site through the mailbox Reset Password link recover password For example, after the page operation, will find in the secret security mailbox The following password reset link:
Http://www.xxx.com/findpwd/setpwdfromemail?vc=2ABB36620A927644607491393EF0D5EF&u=xxx%40gmail.com
Through analysis, we found that Vc=2abb36620a927644607491393ef0d5ef is a serial MD value, after unlocking the value is 1339744000, is a UNIX timestamp! Then it can be guessed that the user to retrieve the password when a timestamp and account binding, then modify the user password only need to know this timestamp. Moreover, the general server time is synchronized with the standard time, that is to say, the Unix timestamp is predictable. Brute force can be used to traverse the current standard Time + a network delay to do a violent hack.
In the application of pseudo-random number, the verification code is another typical application. For security, verification code is a very effective protection mechanism and human-machine differentiation mechanism, can protect passwords from brute force, can prevent swipe tickets, brush screen, repeated submission of malicious data. In addition to being a verification code, similar applications exist in some of the activities of coupons or redemption codes, if the redemption code is poorly designed, it is easy to break the fairness of the activity.
To summarize, there are a few points to note when using random number scenarios:
Do not use timestamps as random numbers
Ensure different use of random numbers using different seeds
For random numbers with high security requirements, a strong pseudo-random number is used to generate
Pseudo-Random number security